PDA

View Full Version : SSL POP3 and SMTP email



AGCSS_Automotive
01-15-2007, 12:08 PM
What are the port numbers to use with secure POP3 and SMTP?

Early Out
01-15-2007, 02:14 PM
Last time I checked, SSL was not supported for POP email on BH, so it's 110 for incoming, and 25 or 26 for outgoing.

Edit - let me revise that. You can enable SSL and use ports 995 for incoming, 465 for outgoing, but an email client like Outlook will complain about it, because it can't verify the security certificate. That's because the name on the certificate doesn't match the name of your mail server (like mail.yourdomain.com). You can say "yeah, go ahead and use this server," but Outlook will complain about it every time you launch it.

AGCSS_Automotive
01-15-2007, 04:22 PM
I just found this


A "self-signed" certificate (i.e. not signed by anyone else) or signed by a "non trusted" Certification Authority should also work (tested with MS Outlook 2000 and MS Outlook Express). In such case the behaviour of an Outlook 2000 client is to popup a message box saying: "The server you are connected to is using a security certificate that could not be verified. A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. Do you want to continue using this server?". If the answer is yes further requests to the server will be automatically accepted until the client is restarted, in which case the server will become untrusted again. To have the server become permanently trusted by the client, the certificate must be exported from the server java keystore by the administrator and imported into the Windows certificate store of the client by the end user. If the keypair is shared with an HTTP server, an HTTPS request from Internet Explorer by the end user on the client will allow for storing the certificate in the Windows certificate store of the client.


Any idea if I can get the certificate from my control panel??

Early Out
01-15-2007, 05:10 PM
I've never stumbled on a way to do that, and I suspect that this is one of those things that would be horrendously difficult to explain to the support folks ("You want what, now?"). But they're probably the only ones who could help.

I just figure that anyone who wants to intercept and read my boring emails badly enough to go to the trouble of doing it, is welcome to them. ;)

KenJackson
01-15-2007, 05:28 PM
For webmail, I find that if I use the bluehost name instead of my domain name, I get no grief. That is, I use this URL:
https://box117.bluehost.com/webmail/.

I haven't gotten around to trying it with POP, but I wonder if we could do the same and therefore avoid popup warnings.

Of course, if you have users that might be confused, that would be another problem.

Early Out
01-15-2007, 06:47 PM
That doesn't work with POP email - using box117.bluehost.com as the server name gives the same "complaint" message from Outlook.

pDoGG
03-14-2007, 04:30 PM
Hi all - have been complaining to support about this issue. Asked them to elevate it to someone higher. Here's what I got back:

"I have had an admin review this, and unfortunately, we will be unable to make a change to the way we do ssl certs on our servers. I do apologize for the inconvenience."

In my mind, still not acceptable. Other hosting services provide this correctly without hassle. I don't get it. Another message I received (earlier) says there needs to be enough complains/customer concerns to do something about it.

I'm quite ticked that I can't set up port 993 without that stupid Outlook message coming up. I don't want to revert to clear-text, as that's just plain dumb in the year 2007. All due to their SSL cert not being properly registered....

I'd recommend everyone else complain to support. Looks like nothing will change as of now. I'd hate to have to move away from Bluehost over something trivial, but if another provider can offer the same, I'd be tempted if Bluehost doesn't want to pursue items like this. The way I see it, this should be STANDARD. I've liked support to this point, but its like they just give up on this issue.

flickerfly
10-18-2007, 11:31 AM
I've had the run around on this issue. It is resolvable if you have IE6, but as most of you probably upgraded to IE7 by now, you're out of luck along with me. In IE6 you can direct your browser to https://box#.bluehost.com:995/ to pickup the root cert. For some reason IE7 doesn't allow this even if you ignore the security warning.

As I understand it, Bluehost could export the cert and hand it out. This would allow us to be able to get past this problem. I figure it to be a rather significant issue because I have no way of guaranteeing against a man-in-the-middle attack.

I complained a few times to support and have sent Matt Heaton (CEO) a message explaining the problem in hopes that it would catch his attention and be resolved.

If you are really adventurous and have access to an IE6 machine, I understand that you can install the cert on that machine, export it from that one and import it onto an IE6 machine. I can't think of a place I could get access to IE6 though.

If it's been a few months, it might be worth complaining again, because they seem to think that the problem is resolved (sometimes) and other times that it can not be resolved at all.

felgall
10-18-2007, 12:20 PM
If you install a security certificate into your email program and get the people you want to communicate with to do the same then you can send and receive encrypted emails over the 110 and 25/26 ports without anyone other than the intended recipient being able to read it. If the person on the other end doesn't have a certificate installed then you can still send signed emails that confirm they came from you.

flickerfly
10-18-2007, 07:06 PM
Thanks for trying, but I'm not talking about the sort of thing PGP or GPG is designed to do. I'm not trying to encrypt individual emails. I'm trying to encrypt the communication from the email server to me and assure that the email server in question is the one I want, and not someone handling a man-in-the-middle attack. PGP would only protect the messages that are encrypted in that instance, but not the stream and it gives me no confidence in the server, therefore my password could be gathered. Plus PGP is no good if the person on the other end can't figure out how to use it and that's often enough to make it largely useless.

Edit:
Matt Heaton got back to me real quick and seemed to get a response out of somebody. He responded coherently mentioning that IE7 is annoying when it comes to certificates. I certainly agree. The tech reply sent me back to this page again: http://helpdesk.bluehost.com/kb/index.php?x=&mod_id=2&id=451. This only works with IE6, like I mentioned above.

pengyou
10-18-2007, 11:44 PM
I just installed Tbird on my computer to handle email. I ran into a glitch and called tech support 3 times. On all three instances they said that BH did not support SSL. Two of them at first said they did, but as we worked through the issue I was calling them about they checked with someone else who told me that they did not.

v72xyg
03-02-2008, 04:53 PM
I just signed up with Bluehost a few days ago, *specifically because they supported secure email*, and I am quite surprised and unhappy to run into this same issue. March 2008 now, over a year after this thread was started.

Make no mistake, Bluehost IS advertising that they support secure email. Go to the Bluehost home page at www.bluehost.com. Click "hosting features" in the upper left corner. The 6th thing on the list is "POP 3/POP 3 Secure Email Support" and item #7 is "IMAP/Secure IMAP Email Suport."

I had the same symptoms as reported in this thread, the warning message in Outlook 2003 when first starting it and doing a receive of any of the Bluehost secure (port 995 and 465 of course) email accounts. I composed a support ticket compaint for Bluehost tech support and ran into the same knowledge base article mentioned in this thread about browsing to https://boxZZZ.bluehost.com. I did that and ran into the same problem reported in this thread about using IE 7 (which I now have, no IE6 around anywhere).

I guessed the problem was IE7 and this thread confirms it. I also guessed that the real solution was importing a proper certificate, since that seems to be the mechanism now supported in IE 7 upon searching through the option menus.

I just barely sent off the complaint ticket to tech support before I found this thread. I hope that I have a better tech support experience than reported in this thread so far.

So... here is the score, as I see it:

1. Many of us signed up for Bluehost in part - or all - for the secure email that is currently being advertised on their website.

2. The problem still exists and has been compounded by the move to IE7. There was apparently a workaround cert install possible in IE6 that isn't possible anymore in IE 7.

3. What is needed is for Bluehost to supply an exported certificate. This shouldn't be rocket science. Someone at Bluehost needs to step up and take responsibility for getting the problem fixed, OR removing all mention of supporting secure email from their website and start refunding a lot of account money, starting with mine.:)

I'll post what happens with tech support and if they are able to provide a solution.

haunt
03-10-2008, 07:16 PM
Last November, I received the following from tech support:


This is because you are using a Shared Certificate, it is fully secure, but it says the boxes name instead of your domain name. This causes this warning to come up. If you would like your own SSL cert, we can provide one to you for $45a year. This also requires a Dedicated IP which is $30 a year, prorated to your account.


I'm hesitent to drop another $75/year on something that really should be included.

banditsc
04-03-2008, 04:04 PM
So I'm guessing Bluehost hasn't fixed this issue yet? They appear to still be advertising that secure POP is a included feature, so I guess that is a lie. If they aren't going to support it then they should remove if from there features list, this is obviously false advertising.

felgall
04-03-2008, 04:09 PM
They do offer secure email so it isn't a lie. They offer it using their default security certificate unless you have purchased your own dedicated one. If the email program you choose to use can't be set to accept that the name on the certificate is different from your domain then that is a problem with your email program, not with the offered secure email.

banditsc
04-03-2008, 07:02 PM
Technically I guess it's not. But the service only works on a small number of desktop email clients and not the clients used by the majority of the world. So I would think that would be something the would want to fix, and if not, make note that it doesn't work with most clients.

felgall
04-03-2008, 08:25 PM
There are dozens if not hundreds of possible email clients. How may doesn't it work with? Well I have only heard of two that fall into that category and then only under some circumstances. There could be a few more but those that don't work are definitely in a minority when it comes total number of email clients.

banditsc
04-04-2008, 04:44 AM
Do you really think the Outlook and Outlook Express clients fall under the minority?

felgall
04-04-2008, 01:12 PM
Do you really think the Outlook and Outlook Express clients fall under the minority?

Well 2 out of hundreds certainly is a minority as far as the maths I learned at school tells me. I wasn't commenting on what percentage of people use email programs that don't function correctly in making the statement. If you want the problems fixed then the two most obvious actions are to either complain to Microsoft so that they fix the errors in their program or alternatively switch to using a program that doesn't contain the errors.

banditsc
04-04-2008, 01:24 PM
I would venture to guess at least 50% of the desktop Mail clients in use are some form of Outlook. So it's not the minority here. And giving the same sad excuse of have Microsoft fix it, should never be uttered by a vendor. The error that MS is reporting is valid, it is pointing out a potential securty hole. So you are suggesting call MS and ask them to make my email client less secure? I hope you being a moderator are not a real example of the Bluehost staff. The facts are they advertise something, it doesn't work with the email clients the majority of users use and there is no real fix to the issue. So they either need to stop advertising, add a disclaimer, or provide a fix.

lnxwalt
04-04-2008, 01:42 PM
I would venture to guess at least 50% of the desktop Mail clients in use are some form of Outlook. So it's not the minority here. And giving the same sad excuse of have Microsoft fix it, should never be uttered by a vendor. The error that MS is reporting is valid, it is pointing out a potential securty hole. So you are suggesting call MS and ask them to make my email client less secure? I hope you being a moderator are not a real example of the Bluehost staff. The facts are they advertise something, it doesn't work with the email clients the majority of users use and there is no real fix to the issue. So they either need to stop advertising, add a disclaimer, or provide a fix.
I'm not familiar with how it works with IE7, because at home we use Thunderbird or Claws-Mail. With IE6, you click 'view certificate' and then 'import certificate'. A few clicks later, you are back at the 'should we accept the certificate' screen. Click yes.

This solves the 'self-signed certificate' problem, but may not entirely stop the 'certificate belongs to another domain' problem.

For Thunderbird users, there is an extension on the Mozilla site that gives you the option to accept a cert from now on without complaining. This one works with both self-signed and wrong server name problems. Just be careful that you really want a cert for exampledomain1.com to be acceptable for exampledomain2.com before you use it.

So far, I have not found an equivalent for Evolution Mail.

Also, on the 'read before posting' forum, it tells us that moderators are not BH employees and don't speak for the company.

haunt
05-01-2008, 06:09 AM
I opened another ticket with bluehost support, and they guided me through the process of obtaining the certificates and installing them. :D

I use outlook 2003 / winXP / IE7.

In short, you need to set your incoming / outgoing servers to use box#.bluehost.com (where # is the number of your bluehost as seen in the cpanel). You then use IE7 to access and install the certificates.

Good graphical process here (http://www.diversicomcorp.com/guides/Installing%20a%20SSL%20Certificate%20in%20IE7%20WE B.pdf)

I couldn't get the certificate for port 995 in this manner, but bluehost support was able to get that to me manually.

Bluehost's more comprehensive response to my ticket:


You will get errors showing the cert is not trusted until you install the certificate to your computer by following these instructions:

Before we get started, please check that you are using box#.bluehost.com (where # is the number of your bluehost as seen in the cpanel) for both the incoming and outgoing mail servers. Also be sure to check that the ports you are using in your settings are correct per the protocol you are using. We will be using those numbers in the following steps.

SSL IMAP = 993
SSL POP3 = 995
SSL SMTP = 465

-Open up Internet Explorer (yes unfortunately this can only be done in IE to our knowledge)
-If you are using vista, you must right click on IE and run as administrator.
-Go to the URL https://box#.bluehost.com:993 (or if you are using POP3, use 995) Don't forget to replace # with your server number.
-If you are using visa/IE7, You will see have to click on "continue to this website...."
-With the alert box that pops up, click on view certificate. If it does not automatically pop up, double click the keylock in the lower right hand corner of your browser.
-If you are using IE7, it doesn't popup. Instead it shows a red box to the right of the address bar. Click on that and click view certificate.
-Next click on "install certificate"
-Click next on "the certificate import wizard" window -Choose the option "Place all certificates in the following store"
-Click browse and choose "Trusted Root Certification Authorities"
-Click OK.
-Click next.
-Click Finish.
-Click OK and Yes for any errors you may get.

Now repeat the process for the other port using
https://box#.bluehost.com:465 (Don't forget to replace # with your server number)

Early Out
05-01-2008, 07:03 AM
Persistence pays off! Thanks for sharing this - the question comes up at least once a month. :)

wpward
10-09-2008, 05:33 PM
The post above was very helpful but I thought I'd post a little more info for those that may be searching for help on this like I was for getting it set up with a dedicated IP and SSL cert.

I was using mail.domainname.ext as my servers, POP3, and ports 995 and 465. I downloaded the certificate for port 465 as described above, but when trying to go to port 995 in IE7, it seemed to hang. So I sent a ticket to support. In the time it took me to type that up and send it, it had FINALLY loaded enough to be able to install the certificate.

Great, so now I have the certificates installed. I have a dedicated IP address and SSL certificate so figured I was good to go, yet still received the warning message when connecting via Outlook 2007 (or Outlook Express). What the heck? I figured a certificate was for my domain, and using the mail.domainname.ext for the servers should match that, right? Apparently not. I had to change my servers to the box###.bluehost.com, and NOW I get no more warnings.

So just to recap: 1) to get the certificate for port 995, you need to let the web page load a LONG time in IE7, and 2) you need to still use box###.bluehost.com as your servers, despite having a dedicated IP and SSL cert.

Early Out
10-09-2008, 11:17 PM
I had to change my servers to the box###.bluehost.com, and NOW I get no more warnings.The trick is to remember that your email won't work at all if BH moves you to another server. I can just imagine the head-scratching while your brain slowly remembers that you had to hard-code the box number into your mail server settings! :D