Difference between revisions of "Email - Setting up E-mail clients for SME 8.0"
RayMitchell (talk | contribs) (certificate store workaround) |
RayMitchell (talk | contribs) (update text) |
||
Line 137: | Line 137: | ||
===Older versions of Outlook and Certificates=== | ===Older versions of Outlook and Certificates=== | ||
− | Older versions of Microsoft Outlook - 2003 and earlier - do not have the ability to install certificates, so you will only see a ''''Do you want to use this server'''' query and would have to answer it every time you try to send email after restarting the program. To get round this you need to install the certificate directly into Internet Explorer because it is the certificate routine from IE that is used by Outlook. To do this: open Internet Explorer and type in the URL for your server manager - | + | Older versions of Microsoft Outlook - 2003 and earlier - do not have the ability to install certificates, so you will only see a ''''Do you want to use this server'''' query and would have to answer it every time you try to send email after restarting the program. To get round this you need to install the certificate directly into Internet Explorer because it is the certificate routine from IE that is used by Outlook. To do this: open Internet Explorer and type in the URL for your server manager - https://www.mymaindomainname.com/server-manager [in this case https://www.theformsonline.com/server-manager]. This will give a security challenge screen... |
Revision as of 03:48, 24 October 2015
Why This Is Needed
From SME 8.0beta6 onwards, unauthorised access to SMTP on Port 25 has been prevented, by design, even for users in the local network, and replaced with SSL-authorised access on Port 25. The result is that setting-up clients to successfully authorise against SME-Server SMTP has become a little complicated. This Howto is intended to give step-by-step instructions using Microsoft Outlook 2010 as an example. The same procedures should apply to most Email Clients, although the locations of the settings may vary.
Thanks
This Howto could not have been written without the help and advice of 'byte.' He doesn't identify himself in his profile in the forums, but he is owed a pint or two next time he hits rural Suffolk!
Assumptions
This Howto has been tested on systems where the SME server is used as the outgoing SMTP server for the network (ie directly connects to other Internet mail servers), & on systems with a Smarthost configured (ie SME server SMTP mail server sends mail via the ISPs mail server). The fundamental principle is to allow clients to authorise to the SME Server before mail is accepted for transmission.
Things to do in the Server Manager
Configure Common Name for self signed Certificate
With secure connections being made to the SME server for mail & browsing, the domain name presented on the security certificate can cause some devices/users not to allow the connection when presented with "scary" warning messages.
To avoid this, SME server can be configured to present a security certificate to users & devices that matches the real world domain name. It is good practice to change the CommonName setting for the SSL certificate rather than use the default servername.domain.com. The default servername.domain.com does not resolve correctly when used in mail client devices that are external to the LAN, so a better choice is to configure all mail clients, whether they are internal or external, to use the same mail server format of www.mymaindomain.com. These settings allow mobile users to use their devices internally on the LAN or externally without needing to change configuration settings in the devices
Login to the command prompt aa root user or user with root privileges. Issue the following comamnds, where the domain name you use is the main domain name configured in the admin Console, "Configure this server" option eg www.mymaindomain.com
config setprop modSSL CommonName www.mymaindomainname.com expand-template /home/e-smith/ssl.key/key expand-template /home/e-smith/ssl.crt/crt signal-event post-upgrade signal-event reboot
Allow SSMTP
Login to the server manager at http://your_server_address/server-manager and click on the menu item Email. Then click the button labelled 'Change e-mail reception settings.'
Change 'SMTP authentication' to 'Allow both SMTP and SSMTP' and save the new settings.
Things to do in Outlook
Make sure the Fully Qualified Server Name is used
Make sure you change the Common Name setting for the Certificate (as detailed above). This is necessary so that the SME Server's self-signed security certificate uses a name that is legitimate for both internal clients & external clients (LAN & WAN). Servers described by IP addresses will cause Outlook to require that the certificate be accepted again every time the program is restarted and will play havoc with automatic email use. The FQDN should be the publicly accessible domain name for your server eg www.domain.com.
Click 'File' then 'Account Settings' and then the drop-down 'Account Settings' button.
In the 'Account Setings' dialogue, highlight an email account and click the small 'Change' button above.
In the first page of the dialogue that results, make sure that both incoming and outgoing servers are entered as the fully qualified name of your server. Recommended good practice is to use the form - 'www.mymaindomainname.com' [ or .co.uk, .org etc.] and will be as shown in the Server Manager Review Configuration screen, towards the bottom of server manager. It is no longer recommended to use servername.domain.com, as that causes problems on clients used externally, whereas www.domain.com will work satisfactorily in all cases.
The Change Account dialogue is shown below with the fully qualified server name in both incoming and outgoing server settings. The Incoming & Outgoing server settings shown in the following screen image, should be changed to www.theformsonline.com. When a new image is available this document will be updated.
Set encryption and authorisation parameters
Now take the tick out of the 'Test Account Settings by clicking the Next button' item on this page and click 'More Settings.' Then click the 'Outgoing Server' tab in the resulting dialogue and make it look like the figure below.
Some later versions of Outlook do not allow you to disable the 'Test Account settings'. In this case you need to temporarily turn off the header checks in the smeserver in order that the test email is accepted. This message in the forums has the details of what you should do: http://forums.contribs.org/index.php/topic,50838.msg256671.html#msg256671
Current recommended good practice is to use secure connections eg typically on port 465 (secure SMTP), port 993 (secure IMAP) & port 995 (secure POP), although some situations & protocols require different ports eg 587. Current recommended good practice is to configure email clients to use secure SMTP & secure IMAP, so that users can access their mail from any device (mobile phone, tablet, notebook, desktop etc), anywhere (LAN or WAN), & all changes made on one device will update the mail server, so when using another device the same changes are seen. Use of the POP mail protocol has severely declined with the advent of mobile devices.
Now click the Advanced tab and change the settings for the Outgoing Server to those shown below - ie Incoming server (POP3) Port 995, Outgoing server Port 465, & if IMAP is being used Incoming server (IMAPS) Port 993, and Auto encryption - and save the settings with 'OK,' 'Next,' 'Finish' and 'Close.' Then shut Outlook down. When a new screen image is available this document will be updated.
Encryption Settings in Older versions of Outlook
Versions of Microsoft Outlook from 2003 and earlier do not have the multiple-choice dropdown for encryption type; instead they have a single tick-box labelled 'This server requires a secure connection (SSL),' Put a tick in the box, as shown below, and it will work perfectly. The following screen image is to be updated to show secure ports, when a new image is available.
Thats all of the settings done. Now you have to link Outlook to your server's self-issued security certificate.
A Question of Security
What to do about your Security Certificate
A workaround to enter the self signed security certifcate onto your client, is to open a browser, in this case as the email client Outlook is a Microsoft product, then open Microsoft Internet Explorer (or equivalent MS browser) & go to https://www.yourmaindomainname.com & accept the certificate for the first time. The certificate is entered into the trusted store & during further use you will not be challenged for an untrusted certificate. There are a lot of changes currently happening with Microsoft operating systems etc, & browsers are changing, so this workaround may no longer apply on newer systems. Obviously when using other mail clients eg Thunderbird, then follow appropriate instructions.
For Outlook, use the following instructions where necessary.
The next time you start Outlook, compose a new email and run 'Send and Receive,' Outlook will ask you whether you are happy to use the server: the dialogue is shown below...
Click 'View Certificate' and a Window like this will appear... Note that the screen image to be updated, should show www.theformsonline.com
Note that the fully qualified server name appears twice.
Click 'Install Certificate' to get this dialogue...
Click 'Next' and you will see...
Don't change any settings. Just click 'Next' - it gives this dialogue...
Click 'Finish' to go to this result... Note that the screen image to be updated, should show www.theformsonline.com
And tell it you want to do it anyway by clicking 'yes,' which will install the certificate and report the result...
At this stage the 'Do you want to use this server' dialogue may have timed out and given you a send-failure notice. Not to worry! Just hit 'Send and receive' again [F9], and say 'Yes' to the 'Do you want to use this server' question.
That's it! Outlook can now authenticate itself to your SME SMTP Server and send emails.
Older versions of Outlook and Certificates
Older versions of Microsoft Outlook - 2003 and earlier - do not have the ability to install certificates, so you will only see a 'Do you want to use this server' query and would have to answer it every time you try to send email after restarting the program. To get round this you need to install the certificate directly into Internet Explorer because it is the certificate routine from IE that is used by Outlook. To do this: open Internet Explorer and type in the URL for your server manager - https://www.mymaindomainname.com/server-manager [in this case https://www.theformsonline.com/server-manager]. This will give a security challenge screen...
Click 'Continue to this website (not recommended).' and you will reach the Server Manager login screen. The address bar at the top of this window will be pink coloured, with a notice button at the right hand end saying 'Certificate error.'
Click it and you will see a very similar certificate installation routine to the one described in Section 6.1, 'What to do about your Security Certificate,'
above - the dialogues look a little different but they follow exactly the same sequence.
Other Domains
Repeat as required
If you have more than one domain on your server, with accounts set up in Outlook, you will need to change the settings shown in 'Section 5,' 'Things to do in Outlook,' for each of them.
Things to Follow-Up
Self-signed certificates have dates incorporated. Does this mean that the installation of the Security Certificate will need to be repeated annually? If so it's a pain, especially for administrators with a lot of workstations to look after.
Perhaps it would be better for SME Server to switch to Port 587 transmission, which the is the recommended port in the SMTP standards and does not require client installation of certificates in order to function.
Disable encryption/authentication of mail when relaying
Bugzilla: 6523, Bugzilla:6522
Change the configuration of the system from the default, so that it no longer requires encryption/authentication before allowing relaying of mail.
config setprop qpsmtpd RelayRequiresAuth disabled signal-event email-update
Configuring Thunderbird clients
Here are the basic abbreviated configuration settings you need for Thunderbird, refer
http://forums.contribs.org/index.php/topic,50554.msg254632.html#msg254632
& numerous other forum posts for additional details
Setting up IMAP accounts in Thunderbird works satisfactorily (as of December 2013), using the following generic procedure:
Use manual setup (instead of automatic)
Specify Connection Security = SSL/TLS
Specify the SSL ports ie IMAPS = 993, SMTPS = 465 (instead of relying on TLS for correct settings)
Specify authentication method = Normal Password
At some point accept the server's self-signed certificate.