ITS is ready to deploy the next stage in securing email at Grinnell College. We are deploying secure IMAP connection over SSL and secure SMTP via TLS over SSL.

We are implementing the changes on Wednesday, January 31, 2007.

Why is ITS making these changes?

What email clients work with the changes?

What settings do I need to change?

Final set of changes to take place later.

Why is ITS making changes to the IMAP and SMTP connections?

Secure IMAP will encrypt your password when connecting to the mail server to retrieve email. Other than the change to a secure transmission of your password, this change will not effect the way you use the connection.

Secure SMTP will allow for increased flexibility for off campus access to email.. We currently only allow SMTP connections to our mail servers while on campus. This connection is made without a password, and relies on an IP address to determine whether to allow mail to be sent or not. To use an IMAP client from off campus, this has meant you needed to use the ISP's mail server to send email out from your Grinnell account. This was a problem for laptop users connecting at various wireless hotspots, as to successfully send email, they would need to confirm what ISP they were connecting to, and reconfigure the outgoing mail server accordingly. With the change, you will be able to use the college's SMTP mail server anywhere you are connected. You will be required to use your username and password to authenticate, and that authentication will be over SSL. A port change is also needed, as SMTP is traditionally transmitted over port 25. Port 25 however is limited by most ISPs to only connecting to their mail servers (similar to the SMTP deployment we are replacing). To get around this, we are changing the SMTP port to 587. This will allow your mail client to connect to our mail server, and bypass the port 25 filtering in place by ISPs.

What email clients work with the changes?

Our testing has shown that most modern mail clients are able to successfully use both a secure IMAP conenction via SSL and SMTP via TLS over SSL.
Clients that have been tested that work include Mozilla Thuderbird for the PC, Mac and Linux, Microsoft Outlook for the PC, Macintosh OSX's built in mail client, and Microsoft Entourage for the Mac.

The notable exception to this is Microsoft Outlook Express for the PC. This program is NOT able to send mail through our servers using both port 587 and SSL with password authentication.

What settings do I need to change?

The changes needed for secure IMAP are:
a) select to use SSL for the connection. This in turn should automatically change the IMAP port being used for the connection from port 143 to 993.
Please note that SSL is not the same as "Secure Password Authentication", you do not want to choose this.
b) make sure the server address is set to imap.grinnell.edu. If it is not, change it to connect to imap.grinnell.edu.

The changes for secure SMTP are:
a) select to use a username/password. The username will be your Grinnell network username (not full email address) and your password will be your Grinnell network password.
This will be similar to how you already have IMAP configured, so consult the settings you have there for reference if needed.
b) select to use SSL for the connection, unless TLS is a choice. If TLS is a choice, choose it over SSL.
Please note that SSL is not the same as "Secure Password Authentication", you do not want to choose this.
c) change the port used from port 25 to port 587
d) change/set the outgoing mail server (SMTP) to be smtp.grinnell.edu

A final step in securing our mail communications will take place later this semester (DATE TO BE DETERMINED), once we have determined that users have successfully made the changes noted above.

We will implement an SPF record in DNS. This will certify for other mail servers who is authorized to send email out on behalf of mail addresses originating from an @grinnell.edu email address. While this will not completely eliminate mail spoofing of Grinnell email addresses (as not all sites are utilizing SPF record enforcement yet), it will move us into compliance in that avenue, and help us do our part in fighting the war on spam and email phishing.