Email

We are often asked about certificate warnings which pop up in email clients.  When an account is moved to a new server, there is a new certificate and a new warning often appears.  In answer to a question about this:

It’s safe to accept the certificate.  We moved your accounts to a newer faster server a few days ago.  We had been using a wildcard certificate, but that was causing problems for people running software too dumb or too conservative to work with such a certificate.  It seemed like an appropriate time to switch.

Email client software often sets up TLS (encrypted) connections by default.  It makes people think sending stuff via email is secure, adding yet another misconception to the rampant ignorance.  It’s not secure.  Email is a store and forward system.  That means your message may cross the network encrypted, but it is then stored unencrypted on the target mail server.  It frequently passes through many servers before being delivered.  It’s trivial for an administrator of any of those servers to keep a copy – not encrypted.

The security of your message is in the hands of those administrators.  You will almost never even know who they are.

Nearly it’s only virtue is that your password is sent over an encrypted connection.    It also means that when someone at the NSA wants to read it, he will have to spend a few minutes on a powerful computer to decrypt it first.  If you want more secure email, you need to encrypt the content, not just the connection.  If you don’t want the NSA or anyone else reading your email at all, you’re basically out of luck.

Content encryption is good enough to deter most criminals and casual snoopers.  Unfortunately, a really sophisticated criminal can still decrypt it.  But you don’t need to worry about this too much unless you know that your content has a very high value to such a person.  If you make it even a little hard, they will move on.   There is no shortage of easy targets.

The bottom line is: encrypt the content if you need security.  That said, there are better ways to transfer sensitive information than via email.  There’s no reason to allow it to have such a high profile.  Virtually all cases of hacking are the result of gaping stupid security holes, someone incompetent in charge of security.

Don’t be lulled into the idea that great big rich companies automatically have high quality correctly configured Internet service. It is very common for outbound email service to be incorrectly configured.

A big part of the problem is that Microsoft email servers are configured incorrectly out of the box. They work correctly in the common cases and testing frequently stops there. At that point they will not use a backup or secondary email server AND they fail to keep things on a queue for a few hours to work around temporary failures as the standards dictate.

It is virtually impossible for your inbound email service to be completely down. There are 2 servers in different data centers capable of receiving mail. Yet, I commonly get reports of bounced email when our main mail server is off line. There is absolutely no excuse for that because the secondary is available.

Next time anyone, and especially a Great Big Company, tells you they couldn’t get an email to you, demand that they send you a copy of the mail with the failed headers. I can almost guarantee they will reveal a configuration error on their server. It’s only by pointing out their problems that they will become aware of and correct them. They should want to know they have a problem.

The content of your emails is not as secure as you may think it is.

When you set up an email account on your computer (or tablet or phone) you have the opportunity to specify encrypted connections. The trouble is, email is a store and forward system. Unless you know every server your mail will traverse, you can’t know that it will be transmitted encrypted from server to server.

You are also subject to trusting the mail server administrator of each server it traverses, sometimes as many as 4 or 5. While the transmission from your machine to the first server may be encrypted, subsequent transmissions may not be.  What is more, at each server it will be stored in plain text format.  It is trivial for any mail server administrator to retain a copy of your emails.  It is also trivial to scan plain text files looking for key words such as the word, “password”.

If you want what is in your email to be secure, what you need to do is encrypt the content, not just the connection.

One commonly used tool for this purpose is PGP. That stands for “pretty good protection”.  Encryption is a huge subject, but there tools in the cPanel control panel to help you get this done.  More information about PGP and this subject in general can be found HERE.

Having said all that, there is still 1 good reason to set up secure (encrypted) connections from your email client to your hosting server: passwords.  Secure connections are established before your password is sent and that means it is sent encrypted and not as plain text.

Setting your email client (MS-Outlook, Windows mail, Thunderbird, etc.) to check email too often is abuse. Sometimes it’s accidental abuse. It’s common for unstable programs like Microsoft Outlook to become corrupted and go wild, checking incessantly.

Recently we implemented a system to track (among many other things) email logins. When too many logins to a specific email account exceed limits, the IP address the logins are coming from is temporarily blocked. The reason for doing this is performance. Our servers typically have 5,000 or more email accounts on them. 20 or 30 abusive accounts is not a large percentage of the total, but can significantly reduce performance for everyone using a server.

If your ability to send and receive email is experiencing intermittent problems, this may be the reason. We can check this for you if you submit a trouble ticket. Our ticketing system automatically includes your public IP address which we need to do this. Click on “Orders – Tickets” above left, then “Submit Ticket”.

All this begs the question, why you are doing this in the first place. All you really need to do is click on the send/receive button in your email client and you will have your email. If you have a broadband connection, which is most often the case, you will almost certainly have your email within 2 seconds. Most people who have automatic checking turned on will do this anyway! If you have a slow connection, by all means do automated checking to save yourself some time.

Otherwise, wouldn’t you rather see faster performance of your server? If you actually think you have another reason for automated checking, let’s hear it!