Jump to content


Photo

Security Advisory: Use SSL/TLS to connect to IMAP, POP3, and SMTP


  • Please log in to reply
8 replies to this topic

#1 MikeDVB

MikeDVB

    Forum Administrator

  • Staff Administrator
  • PipPipPipPipPip
  • 2,900 posts
  • Gender:Male
  • Location:Central Indiana, USA

Posted 23 October 2012 - 09:33 AM

Hello,

The big issue used to be FTP passwords that were sniffed due to non-encrypted FTP connections, but these days the biggest issue is email. When you configure your mail client (Outlook, MacMail, Thunderbord, Eudora, etc) you need to ensure that you are connecting via SSL or TLS. When you do not connect using SSL or TLS, you send your email address and password across the internet in plain-text for anybody malicious to see.

There are compromised systems out there on the internet that do nothing but sit and watch for email address and password combinations and the result is that the email address is used to send a ton of spam, the hosting account gets disabled/suspended, and the IP ends up blacklisted affecting everybody else on the server. In an event such as this, we very well could charge $75/hour for our time spent cleaning up the black-list and resolving to tickets opened by other customers as a result from such an issue. We really do not want to have to bill anybody for this.

Preventing the issue is so simple, there really is no justification for not updating your mail client to use a secure authentication method. We are looking into the possibility of forcing only secure connection methods, however, we are unsure at this time if the mail software will support such a limitation. In the event that this requirement is put into place, we will email our entire client base a few times over the course of a few weeks advising of the change.

If you have any questions at all, please do let us know. You are welcome to respond to this thread if you have a general question, or to open a support ticket if you have an account-specific question.
  • 1
Michael Denney - MDDHosting LLC - Providing Hosting since 2007
Scalable shared hosting plans in the cloud! Check them out!
Highly Available Cloud Shared, Reseller, and VPS
http://www.mddhosting.com/

#2 SarisIsop

SarisIsop

    Advancing Member

  • Members
  • PipPipPip
  • 156 posts
  • Gender:Not Telling

Posted 23 October 2012 - 02:20 PM

Thanks for the tip is STARTTLS the same thing? I notice Thunderbird had one of mine on STARTTLS.
  • 0

#3 MikeDVB

MikeDVB

    Forum Administrator

  • Staff Administrator
  • PipPipPipPipPip
  • 2,900 posts
  • Gender:Male
  • Location:Central Indiana, USA

Posted 23 October 2012 - 02:25 PM

STARTTLS, SSL, TLS, they're all encrypted and 100% acceptable.

In ThunderBird and MacMail you will get a certificate warning if you are using "mail.yourdomain.com" instead of the server name (such as jasmine.supportedns.com, hermes.supportedns.com, etc) - you can permanently accept the warning or simply use the host name.

If you need to know the host name, you can go to your cPanel -> Email Accounts -> Configure Email Client and then the manual configuration will list the host name.

Outlook, as far as I know, has no option to permanently accept a mismatch (or it's well hidden), and it's advised to use the server name for SMTP/POP/IMAP.
  • 0
Michael Denney - MDDHosting LLC - Providing Hosting since 2007
Scalable shared hosting plans in the cloud! Check them out!
Highly Available Cloud Shared, Reseller, and VPS
http://www.mddhosting.com/

#4 SarisIsop

SarisIsop

    Advancing Member

  • Members
  • PipPipPip
  • 156 posts
  • Gender:Not Telling

Posted 23 October 2012 - 02:33 PM

Thanks Mike. :)
  • 0

#5 Scott

Scott

    MDDHosting Staff

  • Staff Administrator
  • PipPipPipPip
  • 421 posts
  • Gender:Male

Posted 15 November 2012 - 02:57 PM

We are seeing a significant outbreak in compromised email accounts today, all of which are due to compromised passwords. If anyone needs assistance with this, please do contact our tech support department for help getting your connections secure.
  • 0
Scott S - MDDHosting LLC - Providing Hosting since 2007
Scalable shared hosting plans in the cloud! Check them out!
Highly Available Cloud Shared, Reseller, and VPS
http://www.mddhosting.com/

#6 MikeDVB

MikeDVB

    Forum Administrator

  • Staff Administrator
  • PipPipPipPipPip
  • 2,900 posts
  • Gender:Male
  • Location:Central Indiana, USA

Posted 15 November 2012 - 03:21 PM

This most recent attack is from the same person or organization. The emails all have the same subject and sender name, random sending addresses, and the same return recipient address. I.e. this means that whoever it is doing this has been watching traffic on the internet for some time watching for unencrypted connections to email servers.

The moral of this is - that it's never worth it to connect in an insecure manner and if you absolutely must, do rotate your password regularly. I would suggest rotating the password as often as possible, but weekly would be as long as I would go if I were not using SSL encryption.
  • 0
Michael Denney - MDDHosting LLC - Providing Hosting since 2007
Scalable shared hosting plans in the cloud! Check them out!
Highly Available Cloud Shared, Reseller, and VPS
http://www.mddhosting.com/

#7 shpor

shpor

    Newbie

  • Members
  • Pip
  • 13 posts
  • Gender:Male

Posted 05 March 2013 - 01:20 PM

FYI, you may think that you have your e-mail client set up properly for SSL/TLS and yet your login info may still be transmitted in the clear. This is probably a rare problem but it happened to me last night.

The e-mail client I've been using is Thunderbird and I believe it may have been due to an error during setup of an account where I received a message that indicated the full e-mail address wasn't valid for username. (We're supposed to provide the full e-mail address for username, correct?) Some of the settings are a bit hard to check and change in Thunderbird once the account is setup, it seems.

I was able to receive e-mail without a problem and everything seemed OK until I tried to send an e-mail, when I was informed that my password was incorrect. Yet I was sure that the password was correct. I double-checked and entered the password a few more times only to receive more error messages that the password was incorrect. Then I started to receive timeout errors, including on another OS where I had previously been able to send e-mails. (Blocked due to the incorrect logins, evidently.)

When I contacted support I was told that my password had been transmitted unencrypted and that it was incorrect. Yet I was 100% sure that my password was correct and that I was properly set up on both IMAP and SMTP for SSL/TLS.

Bizarre, huh! I think I'll just stick with web mail.
  • 0

#8 Scott

Scott

    MDDHosting Staff

  • Staff Administrator
  • PipPipPipPip
  • 421 posts
  • Gender:Male

Posted 05 March 2013 - 01:36 PM

(We're supposed to provide the full e-mail address for username, correct?)

Yes

Bizarre, huh! I think I'll just stick with web mail.


Probably the safest option in this case. Or see about another email client.
  • 0
Scott S - MDDHosting LLC - Providing Hosting since 2007
Scalable shared hosting plans in the cloud! Check them out!
Highly Available Cloud Shared, Reseller, and VPS
http://www.mddhosting.com/

#9 Juan

Juan

    Newbie

  • Members
  • Pip
  • 9 posts
  • Gender:Male

Posted 24 March 2013 - 04:28 PM

Thanks for this I have forwarded this info to my clients.
  • 0




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users