Security Advisory: Use SSL/TLS to connect to IMAP, POP3, and SMTP

[Michael D.]

Hello,

 

The big issue used to be FTP passwords that were sniffed due to non-encrypted FTP connections, but these days the biggest issue is email. When you configure your mail client (Outlook, MacMail, Thunderbord, Eudora, etc) you need to ensure that you are connecting via SSL or TLS. When you do not connect using SSL or TLS, you send your email address and password across the internet in plain-text for anybody malicious to see.

 

There are compromised systems out there on the internet that do nothing but sit and watch for email address and password combinations and the result is that the email address is used to send a ton of spam, the hosting account gets disabled/suspended, and the IP ends up blacklisted affecting everybody else on the server. In an event such as this, we very well could charge $75/hour for our time spent cleaning up the black-list and resolving to tickets opened by other customers as a result from such an issue. We really do not want to have to bill anybody for this.

 

Preventing the issue is so simple, there really is no justification for not updating your mail client to use a secure authentication method. We are looking into the possibility of forcing only secure connection methods, however, we are unsure at this time if the mail software will support such a limitation. In the event that this requirement is put into place, we will email our entire client base a few times over the course of a few weeks advising of the change.

 

If you have any questions at all, please do let us know. You are welcome to respond to this thread if you have a general question, or to open a support ticket if you have an account-specific question.

[SarisIsop]

Thanks for the tip is STARTTLS the same thing? I notice Thunderbird had one of mine on STARTTLS.

[Michael D.]

STARTTLS, SSL, TLS, they're all encrypted and 100% acceptable.

 

In ThunderBird and MacMail you will get a certificate warning if you are using "mail.yourdomain.com" instead of the server name (such as jasmine.supportedns.com, hermes.supportedns.com, etc) - you can permanently accept the warning or simply use the host name.

 

If you need to know the host name, you can go to your cPanel -> Email Accounts -> Configure Email Client and then the manual configuration will list the host name.

 

Outlook, as far as I know, has no option to permanently accept a mismatch (or it's well hidden), and it's advised to use the server name for SMTP/POP/IMAP.

[SarisIsop]

Thanks Mike.

[Scott]

We are seeing a significant outbreak in compromised email accounts today, all of which are due to compromised passwords. If anyone needs assistance with this, please do contact our tech support department for help getting your connections secure.

[Michael D.]

This most recent attack is from the same person or organization. The emails all have the same subject and sender name, random sending addresses, and the same return recipient address. I.e. this means that whoever it is doing this has been watching traffic on the internet for some time watching for unencrypted connections to email servers.

 

The moral of this is - that it's never worth it to connect in an insecure manner and if you absolutely must, do rotate your password regularly. I would suggest rotating the password as often as possible, but weekly would be as long as I would go if I were not using SSL encryption.

[shpor]

FYI, you may think that you have your e-mail client set up properly for SSL/TLS and yet your login info may still be transmitted in the clear. This is probably a rare problem but it happened to me last night.

 

The e-mail client I've been using is Thunderbird and I believe it may have been due to an error during setup of an account where I received a message that indicated the full e-mail address wasn't valid for username. (We're supposed to provide the full e-mail address for username, correct?) Some of the settings are a bit hard to check and change in Thunderbird once the account is setup, it seems.

 

I was able to receive e-mail without a problem and everything seemed OK until I tried to send an e-mail, when I was informed that my password was incorrect. Yet I was sure that the password was correct. I double-checked and entered the password a few more times only to receive more error messages that the password was incorrect. Then I started to receive timeout errors, including on another OS where I had previously been able to send e-mails. (Blocked due to the incorrect logins, evidently.)

 

When I contacted support I was told that my password had been transmitted unencrypted and that it was incorrect. Yet I was 100% sure that my password was correct and that I was properly set up on both IMAP and SMTP for SSL/TLS.

 

Bizarre, huh! I think I'll just stick with web mail.

[Scott]

(We're supposed to provide the full e-mail address for username, correct?)

Yes

 

Bizarre, huh! I think I'll just stick with web mail.

 

Probably the safest option in this case. Or see about another email client.

[Juan]

Thanks for this I have forwarded this info to my clients.