PCUG DSL - Configuring Your Email Client Program

Why do I Need to Change the Configuration in My Email Program?

The PCUG DSL Service uses a server outside the PCUG network of servers. In order to send emails ADSL subscribers will need to use the special authenticated email relay setup. This is necessary because the PCUG servers are protected from intrusion by unauthorised people.

ADSL Subscribers will need to configure their email program to use a secure connection. The details are set out below.

PCUG Authenticated Email Relay for Outgoing Mail

The details of the PCUG authenticated email relay are :

server name: smtps.tip.net.au - this is NOT a typo, is says "smtps" - please be careful typing this into your email program.

ports: 25, 465, or 587

On port 25, there is a normal mail server that also allows a client to switch to a secure connection (user the standard STARTTLS command).

On port 465, the secure connection must be established before the mail server will communicate at all.

Port 587 is the same as port 25 except you MUST establish a secure connection. Having port 587 available allows people to get around restrictions placed on outgoing connections to port 25 (by certain enlightened ISPs like TIP :-)). After establishing a secure (TLS) connection, the user can authenticate using their standard PCUG email username and password (not their special ADSL log-in ID and password).

The certificate that we use for the TLS (security) has been issued by CAcert.org , and the CA root certificate can be obtained form this web site if a users mail client requires it. Otherwise, clients may just trust us (as they currently do with our web site).

If you do need to download the the TLS security certificate from the CAcert web site . Go to that web site and download the CA root certificate from the link in the second paragraph "please install our root certificate". You will see a pop-up window that says "Install the CAcert root certificate (followed by a long URL)". Download the installation file to a suitable location in your computer, which you can find later when you need it. The file will have this name (or one very similar) - "cacert.crt.cer". Make sure you know where the file is as you will need it later. If you use Eudora you may not need to do this - try without it first.

PCUG Secure POP (Incoming Mail) Server Configuration

The PCUG email servers also have the ability to support secure connections to the TIP server, for incoming mail, which means your login and password details can be protected. These are sent in the clear, which means they can potentially be snooped whilst in transit, if subscribers use dial-up or TransACT broadband and have not implemented the set up below. This is not of concern if you are accessing the server from the TIP networks (ie TIP dialin or TIP TransACT broadband), but is if accessed from elsewhere (i.e. via any other ISP, including the TIP Comindico ADSL service). If you are accessing the server from elsewhere, outside the TIP networks, you are STRONGLY ENCOURAGED to alter your mail client configuration to use a secure connection option, as outlined below.

There are actually two variants of this - depending which mail client you use, typically one or the other is supported. In all cases you should specify the POP (Incoming Mail) Server host as: POP Server Name: mailhost.pcug.org.au Then look for one of the following options: a) POP with STARTTLS (or STLS) support - on port 110 This is typically an option like "use STARTTLS command to start SSL session" and port 110 should be the default choice b) POPS (which is POP over SSL) - on port 995 This is typically an option like "Use secure connection (SSL)" and port 995 should then be set as the default choice

Note that this uses a DIFFERENT server for the outgoing vs incoming email. This is correct. Otherwise you will need to configure your Outgoing Email SMTP server to be that of the ISP you are using.

Save and restart the mail client - you should then have secure access.

All of our main secure servers (POP, SMTP and WWW) now use certificates issued by CAcertifications . To stop warning messages annoying you, you should install the main CAcert Root certificate on your system, so it can then verify our (and various others organisations) certificates issues by them. Instructions for doing this on various systems are given at: CAcertifications Help

If you have any problems with the above configurations, please contact the TIP Help Team by posting to tip.help or emailing help@tip.net.au

------------------------------------------------------------------

How do I configure Outlook to use the service? (Thanks to Owen Cook for this information).

Before going further, if you have not already downloaded the CAcert root certificate, do so now. Once it is downloaded, double click on the file and select "Install Certificate". Allow the installation program to install the certificate in the correct location. Once that is done Outlook will recognise the security certificate in the PCUG servers as valid.

Outlook 2000 and Outlook Express 6.0 can both be configured to use the SAMS service. Win 95 with OE5.5 can also be configured. In either case:

* First change the settings for Outgoing Emails -
* From Tools/Accounts, select your default mail service and choose "Properties"
* On the "Servers" tab,
o set the Outgoing mail (SMTP) server to "smtps.tip.net.au"
o Make sure that "My server requires authentication" is checked and choose "Settings..."
- The choices offered at this point are: - "Use the same settings as my incoming mail server (default)", or "Log on using (UserID/Password)";
- Select "Log on using (PCUG email UserID/Password)";
- Select "Advanced";
- Change Outgoing Port to "465"
- Select "This server requires secure authentication".
- Note that the first time you send an email the server will ask for your Username and Password - use your PCUG email userID and password.

* Now check the settings for Incoming Email (no changes needed) -
o Use PCUG email userid to access your default receive mail, POP3, mailhost.pcug.org.au
o Select "OK".
* On the "Advanced" tab, make sure that "This server requires a secure connection (SSL)" is checked.
* Select "OK"
Outlook 2000 is now reconfigured to use the service (no need to restart it).

Outlook 2000 is now reconfigured to use the service (no need to restart it).

1. Leave settings for Incoming Mail the same - "mailhost.pcug.org.au". Please try to send an email to someone you know who will tell you whether it arrived or not. If you are asked for a password enter your PCUG email password. If the email does not go make a note of all error messages and seek help. Give all the error messages to Help.

2. If you have your email program set up to dial in automatically when you check mail, you will need to disable that setting.

NOTE: If you are changing from a dial-up account and decide to create a new ADSL mail account, be sure to go to Outlook Express Tools|Accounts|Old dialup account|Properties|General Tab and de-select "Include this account when receiving mail or synchronising". Otherwise the system may try to use dial-up as well as ADSL. But creating a new mail account should be unnecessary - the old one should work OK.

3. Restart Computer.

______________________________________________________

How do I configure Eudora to Use the Service?

First, in order to use the PCUG secure authenticated email relay, you must have Eudora version 6.1.1. or later and use either the Paid or Sponsored mode. Earlier versions and versions operating in Light Mode cannot connect with the the PCUG authenticated email relay servers.

Next, you will need to decide if you will use your Dominant Personality for sending emails or set up a separate personality for that purpose. If you decide to use your Dominant Personality follow the instructions below. If you prefer to use a separate Personality for sending emails skip the next few paragraphs and go to the section which describes how to set up and configure a separate personality.

Using Your Dominant Personality for Sending Emails

Go to the Tools menu in Eudora - click on "Tools" in the menu bar, then scroll down to "Options". Scroll down the "Category" list on the left and select "Sending Mail". In the right hand column first go to the box called "SMTP server:" and replace "mailhost.pcug.org.au" with "smtps.tip.net.au". Next, select "Allow authentication". In the selection against "SMTP Relay Personality:" select "Dominant". Under "Secure Sockets when Sending" select "Required, Alternate Port". Click OK.

Next try to send an email to someone you know who will tell you whether it arrived or not. SMTP authentication should operate automatically in Eudora. If you have followed the instructions in the paragraph above, Eudora will attempt authentication to the PCUG server. (Eudora's preferred SMTP authentication method is CRAM-MD5. If CRAM-MD5 is not available, LOGIN or PLAIN will automatically be used. The PCUG server does not use CRAM-MD5, but does use LOGIN or PLAIN.)

Once Eudora discovers that your SMTP server allows authentication, when you send messages, a dialog box appears that prompts you to enter your PCUG email password. If the email does not go, make a note of all error messages. If the error message is - "Certificate Error: Cert Chain not trusted. Try adding this certificate to your certificate database for SSL to succeed Unknown certificate chain validation error: Code(0)", follow the instructions in the next paragraph.

After you have tried to send an email go to "Personalities" in Eudora - either in the panel which shows all personalities you have created, or by selecting Tools then Personalities. Once in "Personalities", select "Dominant" then right click. Left click on "Properties" then press the button "Last SSL Info". A new window will open which lists information about your attempt to connect. Press the bar at the bottom of the window "Certificate Information Manager". The Certificate Information Manager window will open. At the top of the window there should be a certificate showing under "Server Certificates" - "Root CA, , CA Cert Signing Authority, support@cacert.org". Select that certificate and then press the "Add to Trusted" button. The certificate will now appear under the heading "User Trusted Certificates" and the entry above it - under "Server Certificates" now shows a smiley face and "smtps.tip.au". You have now activated the secure authentication.

You should now be able to send emails through the PCUG authenticated email relay. Try again to send an email. If you see any error messages note down all the details and seek help. Give all the error messages to Help.

Once you have secure authenticated email relay set up, each time you restart Eudora the first time you send an email through the SMTPS server you will be asked to re-enter your PCUG email password. This is necessary for authentication reasons.

Create a New Personality for Sending Emails

To create multiple personalities in Eudora, go to the Tools menu, select Personalities. A window will appear listing your Personalities. Right click and select New. Create a personality which will use your PCUG emailusername and password to send mail. A new window called "Create New Account" will appear. In the various fields enter -

* a short name for the personality in the Personality Name field,
* your name in the Real Name field,
* your PCUG email address in the Return Address field,
* your PCUG email username in the Login Name field,
* "smtps.tip.net.au" (without the quotes) in the SMTP Server field,
* leave Default Domain empty unless you normally use that field,
* select your usual stationery in the Default Stationery field,
* select your usual signature file in the Default Signature field,
* under "Secure Sockets when Sending" select "Required, Alternate Port".

Make sure the "Check Mail" box in the lower left hand corner is unchecked if you do not wish to check mail on this email account. If you do plan on using this personality to check mail select the "Incoming Mail" tab and enter the POP server "mailhost.pcug.org.au". Click "OK" when you are finished.

Now go back to the Tools menu, Options, click Sending Mail. In the window in the right column, in the "SMTP Relay Personality" field choose the personality previously set up for the STMP relay from the menu. (None is the default.) Click "OK".

Note: All messages sent from each of your personalities will use the email address for that selected personality. It will not use the email address for the specified "SMTP Relay Personality". For example, if you bring your computer to work, you can easily change your SMTP relay to a personality which uses a different ISP to send mail through your work connection. Or you can set the SMTP relay personality to "None" so that you can send mail using the settings specified for each personality.

Next try to send an email to someone you know who will tell you whether it arrived or not. SMTP authentication should operate automatically in Eudora. If you have followed the instructions in the paragraph above, Eudora will attempt authentication to the PCUG server. (Eudora's preferred SMTP authentication method is CRAM-MD5. If CRAM-MD5 is not available, LOGIN or PLAIN will automatically be used. The PCUG server does not use CRAM-MD5, but does use LOGIN or PLAIN.)

Once Eudora discovers that your SMTP server allows authentication, when you send messages, a dialog box appears that prompts you to enter your PCUG email username password. If the email does not go, make a note of all error messages. If the error message is - "Certificate Error: Cert Chain not trusted. Try adding this certificate to your certificate database for SSL to succeed Unknown certificate chain validation error: Code(0)", follow the instructions in the next paragraph.

After you have tried to send an email go to "Personalities" in Eudora - either in the panel which shows all personalities you have created, or by selecting Tools then Personalities. Once in "Personalities", select "Dominant" then right click. Left click on "Properties" then press the button "Last SSL Info". A new window will open which lists information about your attempt to connect. Press the bar at the bottom of the window "Certificate Information Manager". The Certificate Information Manager window will open. At the top of the window there should be a certificate showing under "Server Certificates" - "Root CA, , CA Cert Signing Authority, support@cacert.org". Select that certificate and then press the "Add to Trusted" button. The certificate will now appear under the heading "User Trusted Certificates" and the entry above it - under "Server Certificates" now shows a smiley face and "smtps.tip.au". You have now activated the secure authentication.

You should now be able to send emails through the PCUG authenticated email relay. Try again to send an email. If you see any error messages note down all the details and seek help. Give all the error messages to Help.

Once you have secure authenticated email relay set up, each time you restart Eudora the first time you send an email through the SMTPS server you will be asked to re-enter your PCUG email password. This is necessary for authentication reasons.

If when trying to send an email you get a message from your virus checker and the email does not go, you may need to disable virus checking on sending emails. See the instructions for your virus checker.

If you try to send an email using the PCUG authenticated email relay but it fails to go and you get this message - "Authenticated SMTP, Connecting to the Mail Server ...., EHLO (your computer name).pcug.org.au [time in 24 hour minutes and seconds] SSL Negotiation Failed: You have configured this personality/protocol to reject any exchange key lengths below 0. , But the negotiated exchange key length is -1 Hence this established secure channel is unacceptable. Connection will be dropped. Cause: [2023]". The problem is due to Eudora not trusting the PCUG certificate. Make a note of exactly what you did and seek help.

---------------------------------------------------------------------------------------

Some FAQ About Authenticated Email Relay

Q: Can I only use this service when calling from outside?
A: No, you can use it from anywhere. This means that you won't need to reconfigure your mail client depending on where you are.

Q: Why might I have problems using the service?
A: Anti-virus and/or firewalling software installed on your computer may cause you problems. If Norton Anti-Virus is configured to scan outgoing mail, for example, you might get the failure message "SMTP server 'STARTTLS' command ref: 500 unsupported command" or "SMTP Server 'STARTTLS' command reply 454 TLS not available due to temporary reason" when you try to send your mail through the service. The workaround in this case is to disable the scanning of outgoing mail.

Q: I do not use any of the email clients you list above. Can I still use this service?
A: If your email client is capable of doing so - yes. There is a list of mail clients that support authentication here: "http://www.melnikov.ca/mel/devel/SASL_ClientRef.html" (it is a little out of date, but gives some indication). If your email client is listed go to the Help file or ask Support for that client for help.

End of PCUG DSL - Configuring Your Email Client Program

All Suggestions for improvement or correction to this document will be welcome - send to email address below.

If you need help email - "help@tip.net.au"

Back to PCUG DSL Information Page

Revised at 20 August 2004