How can we improve?

Add ability to force SSL/TLS connections for all authenticated users

Currently the only option available is to force MSA clients to use SSL/TLS, but should be an option for all authenticating clients. TLS uses the standard ports, so they cannot currently be forced to use encryption. Any authenticated POP, IMAP and SMTP should be subject to this.

4 votes
Vote
Sign in
(thinking…)
Sign in with: Facebook Google
Signed in as (Sign out)
You have left! (?) (thinking…)
Brian shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

Hello Brian,

Thanks for sharing your ideas to force SSL/TLS for all clients. We will look into adding options for force TLS/SSL for IMAP and POP clients in a future version. One option to force POP and IMAP users to use SSL is to only allow the SSL ports for these protocols through the firewall. Another option is to turn off support for plain text passwords. This will force the users to choose a secure means of transmitting the password which are either the use of Cram-MD5 or an SSL/TLS connection. Forcing the use of SSL/TLS on port 25 may result in other servers not being able to send you email, but it is possible to do using the STARTTLS Required List.

Thanks,

Arron

2 comments

Sign in
(thinking…)
Sign in with: Facebook Google
Signed in as (Sign out)
Submitting...
  • AdminArron Caruth (Director of Product Development, Alt-N Technologies) commented  ·   ·  Flag as inappropriate

    Hi Brian,

    Does disabling the option to allow plain text passwords not work for you? You can also disable the use of APOP and CRAM-MD5 authentication which means the only way you can authenticate is by using an SSL/TLS connection.

    If you'd like help setting this up, please contact our support team for assistance. All of our support options are available at http://www.altn.com/support.

    Arron

  • Brian commented  ·   ·  Flag as inappropriate

    This is still something I'd really like to see. When a login is attempted and TLS or SSL is not in use, drop the connection, refuse the login.
    In my company it's a requirement. We can spot the mis-configured IMAP users easily, but finding all of the POP and SMTP users without SSL or TLS is difficult and time-consuming, and has to be repeated every couple of weeks.
    I've looked at forcing ports but it is problematic for several reasons.
    I'd even settle for a report at this point.

Feedback and Knowledge Base