Home > FAQ > Email > General > Secure IMAP/POP3 and SMTP FAQ

Secure IMAP/POP3 and SMTP FAQ

Q: What is the difference between the secure mail access and the non secure version?

A: The concept is similar to HTTP and HTTPS. The secure mail access is a process that establishes an encrypted connection between you and the server, so that no one else (or machine) can observe the content that you are transferring, including your password and email content.

Q: My email has no secrets at all, why should I use secure access?

A: Your password is. If your password is exposed, the person may gain control of your email account, logging in to your webmail system (and even changing your password to deny you of access into your own account), grabbing all of your contacts and, most importantly, using your identity to send out malicious emails. You will get blacklisted, your business associates will make payment to the hackers’ bank accounts, or even receive emails containing ransomware from you.

Q: Why does my mail client warn me "the secure certificate is invalid" or "cannot verify server identity"?

A: That's because each secure certificate has to verify against the server name that you connect to. If you connect to mail.your-domain.com, your mail application will warn you as the certificate belongs to someone else like *.agnx.com. You can safely accept the certificate coming from agnx.com as it is our global network exchange domain. Read more at Why does my email client keep showing certificate warning?

Q: Which secure connection should I use? SSL or STARTTLS?

A: In most cases, your mail client will decide which method is best to be used. If you configure your mail client manually to connect to port 995 (POP3), 993 (IMAP), SSL will be used instead of STARTTLS. If your configuration still uses the “standard port” like 110, 143 or 587, it means STARTTLS is the best to enable secure connection on these ports. There is no “which is better” in comparison, it is all up to your mail application's preference, and your network firewall (some ISP blocked the access to STMP port 25, some corporate network block all “insecure ports”).

Q: What is the difference between SSL and STARTTLS?

A: SSL is easier to configure as it is usually associated with a dedicated port number - although you need to get the port number right as SSL is assumed to be running at the port. You cannot connect to port 110 with SSL for example, as the port has been reserved for plain POP3 connection (the secure POP3 port is at 995). Where STARTTLS is more advanced since it is usually supported at the original ports (110 for POP3, 143 for IMAP, 25 and 587 for STMP etc). Connection to these “standard ports” will have to go with STARTTLS as it is more of a hybrid connection that starts as plain, switching to SSL after the connection is established. Lookafter offers both SSL and STARTTLS at related ports.

Q: Do I need to use more sophisticated password authentication method like CRAM-MD5?

A: Yes, if you are still connecting to your mail server without SSL or STARTTLS. Not necessary (but a good practice to have it) if you've already connected with SSL or STARTTLS. It is safe to use “plain” password authentication once your connection is secured.

Q: I don't have STARTTLS options, but why is the connection to standard ports of IMAP/POP3/SMTP still working as SSL?

A: Some mail clients don't advertise or distinguish between SSL and STARTTLS. It just states SSL as either SSL or STARTTLS connection.

Q: I have "SSL - accept all certs" options, should I use it?

A: Yes, it means the mail client will accept any certificate even if the host name is unmatched - which is generally fine. If you would like to establish your own SSL certificate with your own domain, kindly write to us at helpdesk@lookafter.com and we will assist you on that matter.

Q: Why is it that I can only use STARTTLS for SMTP port 587?

A: Due to legacy support, port 587 has been offered as an alternative to SMTP port 25, where only plain traffic is supported. To add security to port 587, it has to be offered via STARTTLS. There is an unofficial SSL port for SMTP at 465 (mostly for Microsoft mail client and services) if you insist to use SSL port instead.

Q: Why can't I use port 25 as SMTP?

A: If you have trouble setting up port 25 as STMP, it is likely that your ISP or corporate network has blocked it, to prevent abuse. Use port 587 instead.

Q: I am still on an old system and its mail application has limited support for SSL, should I be worried?

A: Make sure that you don't use “plain” password authentication method (CRAM-MD5 is a good alternative), stay away from public network (open WIFI) and you should be fine.