Send/Receive NFN eMail Remotely and Securely

Send/Receive NFN email securely using any Internet ISP connection

The NFN email server is able to provide two important email capabilities:  Authenticated SMTP service to send email when using non NFN Internet connections and Transport Layer Security (TLS) / Simple Authentication and Security Layer (SASL)  to encrypt your sending/receiving emails.

Authenticated SMTP :
The Authenticated SMTP  service allows users of   @naples.net   email accounts to use the NFN outgoing email server from any location in the world.  Previously you had to use the outgoing email server associated with the network you were connecting with. This meant that persons traveling with a laptop had to reconfigure their email client each time they switched locations.

The NFN email server is configured to not relay unauthenticated email and it will continue to do so. This means Unauthenticated email that originates offsite cannot be directly delivered offsite.  With Authenticated SMTP any NFN user who wants/needs to relay email using mail.naples.net as their SMTP server can now do so by setting their email program to use their username/password for authentication to the NFN SMTP email server.  In short, there will be no need to change your SMTP setting from “mail.naples.net” to the SMTP setting of the particular ISP you happen to be using if you set your email client program to use “Authenticated SMTP”.

NOTE:  Initially, your use of this service will be rate limited, ie, you will be limited to sending 5 emails in a 30 second time period.  Once your mail client source IP has had one successful SASL log in, your IP will be added within a few minutes as exempt from rate limiting and there should be no subsequent rate limit on future emails sent from that same originating IP number.  Your originating IP will be flushed from the automatic rate limiting exemption list if there is no use of this NFN mail service for the following 30 days.

Transport Layer Security (TLS) and Simple Authentication and Security Layer (SASL):
Without Transport Layer Security (TLS) and/or SASL  availability, all normal emails are unencrypted and travel across the Internet from your machine to the mail server as plain text, with all content and authorization passwords potentially viewable by network snooping. The enhanced TLS and SASL encryption process now available with the NFN email server prevents any possibility of anyone snooping your email as it makes its way to/from the NFN mail server to your PC/Mac.  This is especially important when sending/receiving email and you are not directly dialed in, but using some other Internet connection, such as cable, DSL, wireless hot spot, hotel, coffee shop, or another ISP.  Outside of a dial in connection, there is just no guarantees about who may be able to view the passing traffic, and without encryption, your email content and your email account login (ie, your NFN Account username/password), are sent in clear text.

Almost all modern email clients have the capability to use these two important email features.  What follows is a step by step on how to set up these features in Outlook Express and other common email client programs, such as Eudora, Thunderbird, etc.

If you are running add on firewall/anti-virus software that inspects your outgoing mail it may have a negative effect on your ability to use TLS encryption. This problem has been seen with Norton and is not the fault of your Windows operating system, your NFN Account, or the NFN mail server.  Proper configuring of Norton will normally resolve the problem. Users should consult their Norton documentation or contact Norton at their web site for additional help.

Below are the procedures to make Outlook Express able to use these two features.  Procedures for other email clients involve finding the same settings and changing as indicated.

Authenticated SMTP using Windows Outlook Express – To send email from your computer when you are connecting to the Internet via another ISP on Outlook Express (Windows 2000 exception–read below):

  1. Open Outlook Express.
  2. Click on Tools, then Accounts.
  3. Click on the Mail tab.
  4. Select the Outlook Express Mail Account that you wish to modify.
  5. Click on Properties.
  6. Click on the Servers tab.
  7. Make sure that the Incoming mail (POP3) box contains the correct server name, for NFN users it will be mail.naples.net
  8. Make sure that the Outgoing mail (SMTP) box contains the correct server name, for NFN users it will be mail.naples.net
  9. Make sure that My server requires authentication check box is filled.  Do not check mark the “Log on using Secure Password Authentication” box. This is not used and is redundant since your email program will already be encrypting everything, including your NFN username and password if you do the TLS/SASL steps below in the next section.
  10. On the Advanced tab, since some ISPs may not allow mail SMTP traffic pass through on port 25, it is best to change the “Outgoing mail (SMTP)” port window box from 25 to 587 for trouble free access to the NFN mail server. PLEASE NOTE: Outlook Express on Windows 2000 will not work on any port other than 25!! THIS IS A BUG (RESTRICTION) IN OUTLOOK EXPRESS….READ THE BELOW NOTES.
  11. Click OK to save the changes you just made, you should be able to send and receive your NFN email from anywhere and from any Internet connection you might be using.

mail servers

Transport Layer Security (TLS) and SASL using Windows Outlook Express – To send/receive Outlook Express email securely, turn on your Outgoing/Incoming mail server SSL setting.  The NFN mail server will then securely encrypt all your outgoing and/or incoming email transmissions between your computer and the NFN mail server.

  1. Open Outlook Express.
  2. Click on Tools, then Accounts.
  3. Click on the Mail tab.
  4. Select the Outlook Express Mail Account that you wish to modify.
  5. Click on Properties.
  6. Click on the Advanced tab.
  7. Under the Outgoing mail (SMTP) section, check the box “This server requires a secure connection (SSL)” .  Since some ISPs may not allow SMTP traffic pass through on port 25, it is best to change the “Outgoing mail (SMTP)” port window box from 25 to 587 for trouble free access to the NFN mail server.   To have your downloading email also encrypted (SASL) as it goes across the Internet, change the POP3 number from “110” to “995” AND check the box “The serve requires a secure connection (SSL) ” under that POP3 section.
  8. During the actual transmission and reception of your email, you will see the lock icon briefly appear down in the bottom right corner of Outlook Express, indicating a secure connection is being used.
  9. If you want to check that you are indeed using an encrypted connection when sending, send yourself an email and then look for a line in the header of the received email for something like:

using TLSv1 with cipher RC4-MD5 (256/256 bits)
(No client certificate requested)
(Authenticated sender: yourNFNusername)

Server Port Numbers

Well-known Outlook and Outlook Express errors and bugs:

To encrypt the communication to the mail server, Outlook Express, Outlook 2000, Outlook XP and Outlook 2003 are using the outdated and not recommended encryption algorithm RC4.

Conclusion: This might be another reason to use programs like Thunderbird to read Mails. This program uses the newer encryption algorithm AES256.

Sending email with SMTP and STARTTLS to Port 587

Outlook 2000, Outlook Express 6

Some have experienced that both programs cannot send emails using SMTP and STARTTLS through any other port than the standard port 25. There is a well-known bug in Outlook 2000. See also http://support.microsoft.com/default.aspx?scid=kb;en-us;Q307772

The reason this bug exists is that Microsoft supports the standard procedure first starting with Outlook 2002.

Conclusion: Some Outlook/Outlook Express versions are not able to support the outdated and not standardized protocol “SMTP over SSL” on port 465. According to reports OL2000 and OL Express do not have problems when using this port and protocol.

Outlook XP/2002

Outlook 2002 should support STARTTLS on any port. However due to a race condition in the code it doesn’t do it very reliable. Especially after installation of office service-pack 1, 2 or 3 it almost never works on ports other than 25.

Microsoft has confirmed this bug and has released a POST-SP3 Hot-fix for us: officexp-kb829346.exe (access TU internal only) which can be used after installing Office-ServicePack 3. Please read the README-Files in the hotfix.

Outlook 2003

OL2003 has had the same problems as OL2002. The hotfix that was required in the past to fix it is not necessary any more because it was integrated into the service pack 2.

You can find Office updates at http://office.microsoft.com/

The behavior of Outlook is still not perfect: When sending mails encrypted to the SMTP server and the SMTP server is down or has closed Port 587 (or Port 25) e.g. due to high system load, OL gets into a state, where it cannot send out any mail any more. In such a case you get strange error messages like:

Task ‘xyz – Sending’ reported error (0x800CCC7D) :’Your outgoing(SMTP) server does not support SSL-secured connections. If SSL-secured connections have worked in the past, contact your server administrator or Internet service provider (ISP).’

and

Task ‘xyz – Sending’ reported error (0x8004210B) : ‘The operation timed out waiting for a response from the sending (SMTP) server. If you continue to receive this message, contact your server administrator or Internet service provider (ISP).’

In such a case you need to wait for the SMTP server to open the port again. Then you need to restart Outlook 2003.

The reason for all these trouble seems to be that OL tries to auto detect if SSL is spoken on the port immediately (SMTPS) or after negotiation with STARTTLS. It does so by first initiating a raw SSL connection to the port. If this connection attempt has failed for two times, it will initiate a third connection attempt without SSL to see if SMTP is spoken. This auto detection seems to be complicated and fails e.g. if the mail server is unreachable or has the port closed.

Authenticated SMTP and TLS using Windows Mail (Vista)

On Windows Vista’s mail program, called Windows Mail, the settings are the same as the above Outlook Express settings.

Authenticated SMTP and TLS using Windows Live Mail

If you have downloaded and installed the “Windows Live Mail” email program (part of the Windows Live package), it is essentially an Outlook Express type of program and the settings are the same as the above Outlook Express settings.

Authenticated SMTP and TLS/SASL using Thunderbird

To send email from your computer when you are connecting to the Internet via another ISP using Thunderbird:

  1. Start Thunderbird.
  2. From the Tools menu, choose Account Settings.
  3. Select Server Settings in the left column (under your NFN account).
  4. In Server Name box, type:     mail.naples.net
  5. In the Security Settings section:
    * select SSL
    * do not check the box labeled Use secure authentication (you already have Secure Socket Layer enabled which fully encrypts everything, including your username/password)
  6. Make sure Port box changes to 995.
  7. Click OK to save.  You now have secure receiving of mail
  8. Now select “Outgoing Server (SMTP) from the left menu
  9. Click on the “Add” or “Edit” button if the account exists in the window.
  10. Server Name box set to   mail.naples.net
  11. Port box set to 587
  12. Put a check in “Use name and password” and make sure the User Name box has the NFN Account username
  13. Mark “TLS, if available” or “TLS” if you want to force TLS use.
  14. Click OK to save.  You now have secure sending of mail from any Internet connection.
Secure Incoming Mail Settings
Thunderbird Secure Incoming Mail Settings
Secure SMTP Servers
Thunderbird SMTP (Outgoing) Secure Settings

Authenticated SMTP and TLS using Windows Eudora versions 7.x -On Windows, Eudora 7.x requires the following changes to use authenticated SMTP and TLS encryption :

While in Eudora, under the Tools menu, select Options….

1. Select Getting Started, and make sure Allow Authentication is checked.
2. Select Checking Mail, and the box “Secure Sockets when Receiving”, select “Required, Alternate Port ”
3. Select Sending Mail under the category list on the left side.
4. Make sure the SMTP Server text box reads: mail.naples.net and a check is in “User submission port (587)”
5. Under Secure Sockets when Sending , make sure either If available, STARTTLS or Required, STARTTLS (forces TLS use) is visible in the drop down window.
6. The above settings are for your “Dominant” connection settings.  If there other Persona set in your Eudora, check the Properties of each so that under “Generic Properties – Secure Sockets when Sending” is set to “If Available, STARTTLS” and under “Incoming Mail – Secure Sockets when Receiving” is set to “Required, Alternate Port”.

Authenticated SMTP and TLS using Windows Eudora versions 6.x -On Windows, Eudora 6.x requires the following changes to use authenticated SMTP and encryption :

While in Eudora, under the Tools menu, select Options….

1. Select Getting Started, and make sure Allow Authentication is checked.
2. Select Checking Mail, and the box “Secure Sockets when Receiving”, select “Required, Alternate Port ”
3. Select Sending Mail under the category list on the left side.
4. Make sure the SMTP Server text box reads: mail.naples.net
5. Under Secure Sockets when Sending , make sure either If available, STARTTLS or Required, STARTTLS (forces TLS use) is visible in the drop down window.

Authenticated SMTP and TLS using Windows Eudora versions 5.x -On Windows, Eudora 5.x requires the following changes to use authenticated SMTP and encryption :

While in Eudora, under the Tools menu, select Options….

1. Select Getting Started, and make sure Allow Authentication is checked.
2. Select Checking Mail, and the box “Secure Sockets when Receiving”, select “Required, Alternate Port ”
3. Select Sending Mail under the category list on the left side.
4. Make sure the SMTP Server text box reads: mail.naples.net
5. Under Secure Sockets when Sending, make sure Required, STARTTLS is visible in the drop down window.
6. Click OK.
7. Because Eudora 5 is so old, you may find that it will complain about the SSL certificates.  If you can not get the Eudora 5 to import the modern SSL certificate that the NFN mail server uses, then you will not be able to implement the new features with such dated Eudora software.

Authenticated SMTP and TLS using Macintosh Eudora versions 6.x -How to configure Eudora 6.x (Macintosh) for secure outbound (SMTP) email authentication for NFN email use.

Note: You must have Eudora 6.x (at minimum) in order to configure Eudora for Macintosh OS 10.x for secure SMTP

1. Launch Eudora and go to Eudora > Preferences.
2. From the list of icons in the left side of the Settings dialog, click the icon for Sending Mail.
3. Select the Allow authorization check box.

4. From the list of icons in the left side of the settings dialog, scroll down and choose the SSL icon.
5. From the SSL for POP pull-down menu, select Required (Alternate Port).
6. From the SSL for SMTP pull-down menu, select Required (TLS).

7. Click OK.
Result: Eudora is now configured for Secure SMTP. You can confirm that secure outbound SMTP has been properly configured by sending yourself a test message and confirming that mail headers contain the appropriate information.

Authenticated SMTP and TLS/SASL using Apple Mail- To send email from your computer when you are connecting to the Internet via another ISP using Apple Mail.  Different versions of Apple Mail may have specific settings placed on different screen views.  Consult your computer documentation for exact location of some of the boxes.

1. Under General Information, set Account Type to “POP”.
2. Set Account Description to “NFN Mail”
3. Set Full Name to “your name”.
4. Set Email Address to yourNFNusername@naples.net
5. Click on the Continue button at the bottom of the screen
6. Set Incoming Mail Server to   mail.naples.net
7. Set User Name to:  yourNFNusername
8. Set Password to:   your NFN Account password
9. Click on the Continue button at the bottom of the screen
10. Set Outgoing Mail Server to:   mail.naples.net
11. Check the box labeled  Use Authentication
12. Click the Button that says:  Server Settings
13. Make sure the Outgoing mail server is set to use port 587.
14. Make sure the Incoming mail server is set to use port 995.

Allow authorization

Secure Settings

Leave a Reply

Your email address will not be published. Required fields are marked *