TLS Configuration
The FNAL Gateways were recently configured to support Transport Layer Security (TLS) using Secure Socket Layer (SSL) encryption. For most users this will have no affect on using email at FNAL. For users that travel or for whom their primary system is a laptop that goes home with them at night there are some things that you need to be aware of.
The FNAL Gateways are configured to not relay mail. This means mail that orginates offsite cannot be directly delivered offsite. If it goes through a forwarding address or a mailing list then it will be delivered.
In the past when a user wanted to relay they asked for an exception to the anti-relay rules be added for their email address. While this works the address could then be used for things like spamming other sites using the FNAL Gateways should that address be discovered.
With Authenticated SMTP any user who wants/needs to relay mail using smtp.fnal.gov as their SMTP server can using their gateway password for authentication.
Something to keep in mind - if you are running anti-virus software that inspects your outgoing mail it may have a negative affect on your ability to use TLS. We have seen this with Norton AntiVirus 2002. Configuring NAV 2002 to not inspect the outgoing mail resolved the problem.
To do this start up the Symantec console. You must do this with administrative access to the system.
Now click on Configure, Internet E-Mail Auto Protect
If Enable Internet E-Mail Auto-Protect is selected remove the check and click on OK. Close the Symantec console and proceed with configuration of your email client.
Internet Service Providers
Some ISPs and institutions either block outbound traffic on port 25 or have a proxy server configured to relay the connection for you. If your ISP uses one of these methods to restrict access to port 25 then you may have a problem using Authenticated SMTP as the command that starts the encrypted connection is sent to your ISPs smtp gateway - not the gateway at Fermilab.
The following ISPs are known to have either blocked port 25 or implemented a proxy gateway:
- AOL
- Earthlink
- AT&T Dialup
If you use one of these ISPs and are unable to get Authenticated SMTP working please try and configure your email client using SMTP over TLS and the alternate port 465. Examples are shown below for the more popular email clients
Configuring your client to use TLS
Most modern email clients support TLS in one way or another. A few of the more popular clients are covered here:
Netscape v4.x
Netscape v4.x appears to have a bug in the way it handles TLS. Even when configured to not use TLS or SSL it trys to start a authenticated session. For this reason if you are using Netscape v4 with smtp.fnal.gov as your outgoing SMTP server you must use Authenticated SMTP to send mail.
To work around this in the most secure manner possible configure the client to use TLS when available
and use your mail gateway username and password. You will only need to enter it the first time you send mail during a email session. If at all posssible consider upgrading to a newer release of Netscape or Mozilla.
Netscape v7.x/Mozilla v1.3
Sharing a common code base configuring these two clients are very similar
Start the client and click on Edit, Mail and Newsgroup Account Settings. Select Outgoing Server (SMTP). Make sure that smtp.fnal.gov is your SMTP server and that Use Secure Connection (SSL) is set to When available. If you use an ISP that blocks port 25 enter 465 in the port field.
You can select Use name and password and fill in your FNAL gateway password if you want (Mozilla 1.3 seems to require this). Click on OK to save the changes.
When you send mail a dialog box like the following will show up the first time you send mail each session.
Enter your mail gateway usernaCme and password and your mail will be sent.
If you do not want to use TLS be sure that use name and password is not checked and use SSL is set to Never. If use SSL is set to when available you will get prompted for your gateway username and password.
Microsoft Outlook Express (Windows)
Start Outlook and click on Tools, Accounts
Select your email account and click on Properties
Select the server tab. Make sure that your outgoing SMTP server is smtp.fnal.gov and that your outgoing mail server requires authentication. Click on Settings
If your IMAP and mail gateway usernames and passwords are the same you select the top option. Otherwise select the Log on using option and put your mail gateway username in the Account name box. Click on OK
Now click on the Advanced tab. Set the outgoing SMTP server to require a Secure connection. If you use an ISP that blocks port 25 change the 25 to 465 here. Click on OK
Click on Close to return to Outlook Express
The next time that you send e-mail you should be prompted for a password. Enter your email gateway password and the mail will be sent.
Microsoft Outlook 2003 (Windows)
Start Outlook and click on Tools, E-mail Accounts
We are going to change an existing e-mail account
Select your default e-mail account and click on Change
Make sure that your outgoing SMTP server is smtp.fnal.gov. Select More Settings
Select the Outgoing Server tab. Check the your outgoing mail server requires authentication box. Log on using your mail gateway username. Click on OK and then the Advanced tab
For additional security you can require an encrypted connection. If you use an ISP that blocks port 25 change the 25 to 465 here. Click on OK, then Next, and then Finish.
The next time that you send e-mail you should be prompted for a password. Enter your email gateway password and the mail will be sent.
Microsoft Outlook/Outlook Express (Macintosh)
Outlook Express 5.0.6 on the Macintosh (Entourage too!) has a problem using the STARTTLS command necessary to start a TLS session on the standard SMTP port. It has to be configured to use the SMTP over SSL port as shown below:
Select Accounts item from Tools menu, Get Accounts box
Select the desired account, in this example it was Fermilab IMAP and click Edit
Click on the "Click here for advanced sending options"
Set SMTP Server Requires SSL and change the default port to 465. Select either same user/password as incoming or set username and password in the fields depending on your configuration.
Pine
Configuring Pine for TLS is easy. In your .pinerc file make the following change:
smtp-server=smtp.fnal.gov
to
smtp-server=smtp.fnal.gov/user=gatewayusername
If your ISP blocks outbound SMTP access you can try using SMTP over SSL. Set your SMTP server as follows:
smtp-server=smtp.fnal.gov:465/ssl/user=gatewayusername
Pine will request your mail gateway password before sending mail for the first time each session.
Eudora (Windows)
Eudora supports TLS but in a unusual way. The mail gateway password has to be the same as the POP/IMAP account password.
Click on Tools, Options, Sending Mail. Select If Available, STARTTLS to use TLS. Select None if you do not want to use TLS.
Mac OS/X
Please follow the steps below to enable TLS.
If you use an ISP that blocks port 25 enter 465 in the Server port field and click on OK
|
