Configuring SecureEmail for SSL connections
The following instructions to configure CSE for SSL connections applies only for Network Level Mode.
If your mail server requires an SSL connection for encryption and/or user authentication purposes then you need to take the following additional steps:
- Switch off SSL connections in your mail client;
- Make sure your mail client is configured to connect using the correct ports;
- Switch on SSL connections in the 'Protocols' section of Comodo SecureEmail so it can handle the secure connection to the mail server instead of the client. (See this FAQ for a graphical explanation of SecureEmails positioning at the network layer).
Note: Disabling SSL in your mail client and enabling it in CSE applies only for network level mode. To configure CSE for SSL connections for 'Outlook Only Mode', you have to enable SSL in your mail client.
Switch off SSL connections in your mail client
To switch off SSL connections in Outlook and Outlook Express
1. Open Outlook/Outlook Express.
2. Select Tools > Email accounts....
3. Select 'View or change existing accounts'. (CSE will have imported the port settings for any existing mail account)
4. Choose the account you wish to modify and click 'Change....'
5. Click 'More Settings.....'
6. Next, click the 'Advanced' tab. Make sure:
- Both '....encrypted connection (SSL)' boxes are NOT checked (see graphic below)
7. Set '995' for the POP3 port and '465' for the SMTP port. These are the most widely used default port numbers for SSL connections (see graphic below).
Switch on SSL connections in the 'Protocols' section of Comodo SecureEmail
To enable SSL connections in Comodo SecureEmail you need to configure both POP and SMTP in the 'Protocols' section of the application:
1. Open the SecureEmail configuration interface by clicking 'Start > Comodo > SecureEmail > SecureEmail Configuration'
2. Click the 'Protocols' button on the left hand menu
3. Choose 'Post Offfice Protocol (POP)' from the list of protocols and click 'Properties'
- If you wish to modify an existing account for SSL connectivity then select the target account and click 'Edit......'
4. If you wish to add a new mail account that requires SSL connectivity, then click 'Add Port...'
5. This will open the port configuration screen for that protocol (see below)
6. If required, type a friendly name for the port setting (e.g. Friendly Name = 'My Secure POP Connection')
7. Type '995' in the 'Server Port' field
8. Check the box 'Connect to the server over a secure connection (SSL)' to enable SSL connectivity
9. Next, you must enter the full name of your mail server in the 'Mail Server' field (e.g. mail.example.com). This is used to authenticate the mail server against the common name (CN) field of the mail server certificate and thus correctly establish the trust relationship. If you are 'editing' an existing port then this field will usually be pre-populated with the name of the mail server for that port. If you are adding a new port then you will need to type the name of your mail server here.
10. If you have two accounts connecting to the same server port (for example, port 995), but only one of those accounts requires an SSL connection then you need to specify a different email client port for that account in order to avoid errors. To do this check the box - 'Use a different email client and server connection port' and type a (random unused) ephemeral port (1024 through 4999) number (e.g. 1994). Comodo SecureEmail will still connect to the server port 995 for both accounts but will only establish an SSL connection to the account with the email client port number of 1994. In addition if you have more than one secure connection set a different email client port for each secure connection to enable Comodo SecureEmail to establish trust with the correct server certificate.
11. Click 'OK' to confirm your choices. You will be returned to the 'POP3 Properties' dialog. The 'SSL' column now indicates that a secure connection is being used on the client email port for that account.
12. Repeat the process for the SMTP protocol. For SMTP, you should type '465' in the 'Server Port ' field.
13. If necesary, repeat the process for the IMAP protocol, using '993' as the default SSL server port.
Notification of Secure Connection
Once you have set up an SSL connection as outlined above, SecureEmail will attempt to authenticate the mail server every time you connect to it to send or receive mail. If the certificate on the mail server was issued by a trusted Certificate Authority (CA) such as Comodo or Verisign then you will see a Gold Padlock on the pop-up notification - indicating (i) you have established a secure, encrypted connection to the mail server (ii) that the company that owns the mail server has been validated by a trusted third party (a certificate authority). The image below-left shows a typical SSL connection to a mail server with a certificate issued by trusted Certificate Authority:
Trusted Authority Untrusted Authority (e.g. self signed certificates)
If the padlock has a red circle with a white exclamation mark over it then this indicates that there is a problem with the authentication process (see image above-right). This could be for many reasons, but the most likely are:
- The host names do not match. Hover your mouse over the padlock to view the mail server certificate details. Check that the host name shown here matches the one you configured in SecureEmail and your mail client;
- The certificate on the server has expired (Comodo offer a full range of SSL certificates suitable for securing corporate mail servers - including Unified Communications Certificates for Exchange 2007 servers. See EnterpriseSSL.com for more details);
- The mail server is using a certificate signed by an untrusted certificate authority - including self signed certificates (these certificates are usually created and deployed by the mail server administrator ). The connection to the mail server is still encrypted but, because the certificate was not issued by a recognised CA, it is not possible for SecureEmail to authenticate the mail server is operated by a trustworthy organization. Comodo SecureEmail will advise you that you are about to make a secure connection to a mail server that has an untrusted certificate with the following dialog:
If you are sure that it is safe to connect to the mail server (for example, you have a pre-established trust relationship) then click 'Yes'. If you do not wish to connect to the mail server, click 'No'. If you are a network administrator and would like to purchase a fully trusted, Comodo SSL certificate for your company's mail server, then please visit EnterpriseSSL.com.
Comodo SecureEmail User Guide | © 2010 Comodo Security Solutions Inc. | All Rights Reserved.