This documentation has been written for technical support staff, the technically advanced and the curious.
Those looking for an overview and basic instructions, please visit http://www.utoronto.ca/ns/utormail/securemail/
What are the technical elements of the UTORmail enhanced security
which is being announced November 2007 ?
New components for sending of mail,
The above UTORmail elements have been in use by University of Toronto at Mississauga since August 2007 without problems. This announcement is for the rest of the university to start using this infrastructure.
Components for receiving of mail,
The above UTORmail elements have been available and widely used for a number of years. With this announcement we are promoting more widespread adoption.
What are the necessary configuration changes ?
See http://www.utoronto.ca/ns/utormail/securemail/
What about UTORwebmail and my.utoronto.ca ?
This announcement is not intended for those using UTORwebmail to access UTORmail. Instead it is meant for those using e-mail client software such as Mozilla Thunderbird, Microsoft Outlook, Microsoft Outlook Express, Windows Mail (the successor to Outlook Express exclusive to Windows Vista), Qualcomm Eudora, University of Washington Alpine and Pine, SeaMonkey or Mozilla or Netscape Mail & Newsgroups, and other software which supports IMAP4 for accessing messages at a post office and SMTP for sending messages. (Note that we cannot provide support for all e-mail client software. See the Quick Enhanced Security Network Access configuration Table for what is supported.)
UTORwebmail (webmail access to UTORmail using browsers such as Internet Explorer, Firefox, and Safari) and my.utoronto.ca have always used SSL/TLS to encrypt the entire web session. This is not changing.
Mail sent using UTORwebmail is not currently checked for viruses, but we intend to start doing so in the near future. (Only mail coming from other post offices is checked for viruses.)
This announcement also applies to PDAs such as the Palm Treo and Blackberry, when they are used to send and receive messages with UTORmail.
Does e-mail client software need to be upgraded prior to changing the configuration ?
Most software released over the last few years will work fine. As far as we know all versions of Mozilla Thunderbird, Outlook Express, and Outlook will work.
According to Eudora techsupport (http://www.eudora.com/techsupport/kb/2307hq.html) Eudora 5.1 or newer is required. For those using Eudora 6.x.x, version 6.1.1 or newer is required.
E-mail software included with the Palm Treo 650 works; we have not tested the Treo 600 or previous models.
If there is anyone left using the following old software, these are known not to work: Pegasus Mail, Simeon, ECSmail, Netscape 4.X and older.
Are you forcing us to use this higher security infrastructure ?
Everyone must use the higher security by July 31st. After this date we will gradually disable all non-secure access in groups of customer at a time.
Using non-secure access allows crimminals to easily steal your account. In addition, we have had problems with criminals getting into university systems causing damage to the university and to many university members.
Everyone has to do their part to make sure that university systems are secure.
In time, we will propose to the University making this be mandatory for all UTORmail customers.
Does this mean that messages are encrypted end-to-end ?
Are messages encrypted between-sender-and-recipient ?
No.
The technology in this announcement encrypts messages as they are sent over the network between your workstation and the UTORmail post office.
This technology does not encrypt messages as they are sent from the UTORmail post office to another post office (e.g. when sending messges to non-UTORmail customers at UofT, or when sending messges to external post offices such as Hotmail.)
This technology also does not encrypt e-mail messages stored on your workstation (e.g. in local folders), stored at the UTORmail post office, etc.
Does this mean that e-mail messages can't be forged (i.e. sent so as to deceive the recipient as to whom the real sender is) ?
E-mail messages can still be easily forged—anyone can easily send you a message whose "From" looks like it came from someone else.
What happens if a UTORmail customer tries to send email containing a virus ?
After the UTORmail customer hits the send button, an error message will be displayed and the message will not be sent.
(Before we had no protection when a UTORmail customer sent a virus. We only detected viruses in messages coming from outside UTORmail.)
When a UTORmail customer tries to send a message, is it checked for spam ?
Yes. With the new configuration, some SPAM is being detected when sent by UTORmail customers.
For SPAM sent by UTORmail customers which is not detected, if we receive a complaint, we will be better able to identify culprits. Sending SPAM is contrary to university policy.
What does SSL/TLS do ?
SSL/TLS is used with UTORmail to help prevent eavesdropping when data (e.g. the UTORid password or message content) is sent between the workstation and the UTORmail post office.
(SSL/TLS is also used to verify the UTORmail server identity by checking its certificate. UTORmail uses UTORids, not SSL/TLS, to authenticate customers—ie we are not using the mutual authentication functionality of SSL/TLS. And standard SSL/TLS does not have non-repudiation support.)
What is the difference between SSL/TLS and SSL and TLS ?
Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols for encrypting data transfers over networks. There are slight differences between TLS and SSL, but they are substantially the same. (SSL version 1 and version 2 should no longer be used. Most software will automatically negotiate between SSL version 3 and TLS version 1.) Most people are only familiar with the older SSL term. The term SSL/TLS usually means SSL or TLS, especially when the difference is not important. Sometimes people use the term SSL generically, to mean SSL or TLS.
We have used (SMTP) port 25 for sending messages for 20 years.
Why are we switching to port 587 ?
What is SMTP-AUTH ?
The Simple Mail Transfer Protocol (SMTP), using port 25, was designed in 1980 to send e-mail messages from post office to another post office.
In time, workstation-based email client software became became widespread, and for lack of an alternative, used SMTP for sending messages from workstation to post office. This created many problems, especially when remote unauthenticated customers connected to send messages—this was open to abuse by bad people wanting to send SPAM.
Message Submission, introduced in 1998, using port 587, is the Internet standard for email client software to submit messages to a post office. SMTP, on port 25, is still used for sending messages from post office to post office. (The Message Submission protocol looks like the SMTP protocol with different defaults.)
UTORmail also uses the Internet SMTP-AUTH standard, introduced in 1999, to authenticate those sending a message through Message Submission on port 587.
Does UTORmail's Message Submission port 587 use SSL/TLS ?
Yes.
Client software initially contacts the Message Submission port 587 without encryption. It then uses STARTTLS to initiate negotiation for encryption. During any negotiation, UTORmail insists on SSL/TLS encryption.
What is STARTTLS ?
One way to indicate use of SSL/TLS is to use a unique port number. For example, web browsing via HTTP uses port 80 whereas web browsing via HTTP over SSL/TLS uses port 443, IMAP uses port 143 whereas IMAP over SSL/TLS uses 993, LDAP uses port 389 whereas LDAP over SSL/TLS uses 636, etc.
Unfortunately, reserved port numbers are a scarce resource. So instead of using a second port number for each protocol when it is used over SSL/TLS, the Internet standards body introduced STARTTLS in 1999. Protocols that use STARTTLS, use the same port number when using SSL/TLS.
For example, when an email client software connects to UTORmail's Submission port 587, it starts out unencypted. The client software initially says STARTTLS. This starts negotiation for an SSL/TLS session.
If we are supposed to use port 587 for sending mail,
why does your documentation say to use port 465 with
older versions of Outlook and Outlook Express.
Unfortunately, until 2006 Microsoft software did not support using STARTTLS with the Message Submission port 587, and instead supported the non-standard port 465. This includes all versions of Outlook Express, and versions of Outlook up to Outlook 2003 SP1.
(For a few months in 1996-1997, Netscape's draft plan to introduce SSL to the Internet included a proposal that the Internet standards body assign port 465 for SMTP over SSL. However, the proposal for using port 465 was subsequently withdrawn in favour of using STARTTLS. Using port 465 for sending messages is thus non-standards compliant. Currently port 465 is assigned for something completely different—a Cisco proprietrary protocol known as URD which has nothing to do with e-mail.)
New Microsoft software--Outlook 2007, Outlook 2003 SP2 and higher, Windows Mail (the successor to Outlook Express exclusive to Windows Vista), and Windows Live Mail (currently in beta, the successor to Windows Mail and Outlook Express for Windows XP and Windows Vista)--support Message Submission port 587.
Patches are available for Outlook Express and older versions of Outlook, to add support for port 587 (e.g. see http://support.microsoft.com/kb/933612/en-us), but we did not want to get into the support issues involved.
For those using older versions of Microsoft software, our documentation says to use port 465.
Please don't use port 465 unless you have to. We'd like to retire it one day :-(
Many ISPs (e.g. Sympatico, Rogers, etc.) block sending of mail using port 25.
Will they block sending of mail using port 587 ?
Many consumer internet service providers block SMTP port 25 because this port is generally unauthenticated, and is commonly used by spammers and viruses. Also, SMTP is designed for post office to post office communication, and running servers, such as a post office, is often contrary to the provider's acceptable use agreement.
On the other hand, the Message Submission port 587 is normally authenticated, and is the internet standard protocol for e-mail client software to post office communication.
We are not aware of any consumer service internet provider intentionally blocking port 587.
How does using port 587 help in making sure my message isn't treated as SPAM ?
We have had problems where UTORmail customers who are traveling and sending e-mail messages using a laptop connected to the local hotel internet connection. The local hotel's internet provider frequently blocks SMTP port 25, forcing the customer to send mail via the local hotel's internet provider post office. Sometimes this local hotel post office has been used by other hotel guests to send SPAM, so the hotel post office is on internet lists of offending post offices. This has resulted in the mail sent by the travelling UTORmail customer being treated as spam by UTORmail, by other university post offices, and by other post offices. By configuring the laptop e-mail software to use UTORmail's port 587, this problem is avoided because you will be sending your messages via the UTORmail post office, not the local hotel's post office.
In addition, some world-wide post offices are beginning to frown on messages whose "From" address doesn't match the orginating post office. For example, a UTORmail customer using a workstation at home to send messages whose "From" address is of the form firstname.lastname@utoronto.ca, and whose email software is configured to use the Sympatico or Rogers post office for sending mail, may find that some recipient post offices assess the message as having a higher probability of being spam. Again, sending mail via the UTORmail post office, by using port 587 avoids this issue.
We have used port 143 for IMAP4. Why are we switching to using 993 ?
IMAP4 is used to read, flag, and delete messages you have received at the UTORmail post office. Port 993 is used for IMAP4 over SSL/TLS which will encrypt the communication including your password and message content.
Why aren't we using STARTTLS with IMAP4 ?
Unlike message submission, where STARTTLS is the only standards based choice if SSL/TLS is desired, there is a standard port for message retrieval using IMAP4 over SSL, port 993. Furthermore, port 993 is used more widely than using STARTTLS with port 143. (One reason is that some software only recently started to support STARTTLS with port 143.)
Another reason we ask customers to use port 993 is that we have SSL/TLS acceleration hardware to bring down the cost of encryption. Unfortunately, it currently supports IMAP4 over SSL/TLS port 993, but not STARTTLS with port 143.
Finally a secret: the UTORmail servers actually do support STARTTLS with port 143, but we are not documenting this because it increases our hardware costs, as described above.
Why are we switching from using postofficeNN.utcc.utoronto.ca
to smtp.utoronto.ca ?
We used to use postofficeNN.utcc.utoronto.ca to split customers over different servers. We now have a load balancer to assign customers to the least loaded server.
In addition, use of smtp.restofname.com seems to be widespread. e.g. University of Washington uses smtp.washington.edu, Sympatico uses smtp.sympatico.ca, AOL uses smtp.aol.com, Gmail uses smtp.gmail.com, etc. Naming things in the same way as others will hopefully make it easier for technical staff to remember.
Note that its "smtp" even though we are using the Message Submission port 587. (The Message Submission protocol is essentially the SMTP protocol with a different set of defaults.)
Are we also switching from using mailboxNN.utcc.utoronto.ca ?
We will keep using mailboxNN.utcc.utoronto.ca. for accessing the right (IMAP4) message store server.
Customers are statically assigned to (IMAP4) message store servers. When a customer configures their IMAP4 server to be mailbox8024.utcc.utoronto.ca, they are actually indicating which server their mail is stored on. While its possible for us to tell all our customers to use a DNS name like imap.utoronto.ca (as many other Universities already do), and have front-end servers (running imap4 proxy software such as Perdition) which would automatically connect to the customer's message store, we would need additional hardware to do so.
Why aren't we using port 585 (IMAP4+SSL)
There has been a long period during which the Internet standards body recommended that those using port 585 switch to 993. Port 585 was finally de-registered by the Internet standards body April 25, 2006. UTORmail has never supported port 585.
Can desktop antivirus software be used to check incoming/outgoing
messages for viruses ?
Can Norton Antivirus email scanning be used ?
See WiscMail - AntiVirus Software Incompatible with SMTP Authentication http://kb.wisc.edu/wiscmail/page.php?id=2417
Norton AntiVirus email scanning is not compatible with Internet service providers using Secured Socket Layer protocol http://service1.symantec.com/SUPPORT/nav.nsf/b69c799adfa31ecc85256aa30052f4d0/b9b3275b6ba4647b88256acb00514e11?OpenDocument&prod=&ver=&src=sg&pcode=&svy=&csm=no
Why are we the only ones implementing this technology ?
The SUBMISSION port, SMTP AUTH, and STARTTLS for sending email have been widely deployed by many, if not most, Universities and ISPs (e.g. Rogers, Sympatico, Google Mail, etc.)
IMAP4 over SSL/TLS has been widely deployed by other Universities. (Many ISPs don't support IMAP4 because they don't want the cost and headaches of customers storing email at their post office. Google Mail is an example of a external provider which supports IMAP4 over SSL/TLS on port 993.)
What about IMAP before SMTP ?
UTORmail deployed IMAP before SMTP (and POP before SMTP) starting in August 1998.
Prior to around 1998, internet post offices, including UTORmail, did not require those off-campus to authenticate when sending mail. Because bad people were exploiting this to send SPAM, this "open relay" model of operation was widely replaced. Most institutions told their customers to use their local internet provider's post office when sending mail from off-campus.
Using IMAP before SMTP, UTORmail customers could keep using the UTORmail post office when sending mail from off-campus--they simply had to authenticate by opening their INBOX, before sending any messages.
This became less useful as internet providers started blocking SMTP port 25. For example, about 720 UTORmail customers who were using IMAP before SMTP in the days leading up to August 17, 2001 were cut off when Sympatico starting blocking port 25 on that day.
UTORmail's Message Submission port 587 (with SMTP-AUTH) replaces all of the functionality of IMAP before SMTP.
What about POP3 ?
We encourage everyone to use IMAP4 not POP3.
We'd like to hear from everyone (send email to network.services@utoronto.ca) who still needs to use POP3—it is our intention to phase out POP3 over time.
(If you need POP3 and are in the process of contacting us, please use POP3 over SSL port 995 in the meantime. It probably works, but we have not tested it.)