2
In the Thunderbird 3 SMTP configuration dialog, there's a security section:
If I want to send email without naughty hackers intercepting it, what should I choose? The "Connection security" options are "None", "STARTTLS" and "SSL/TLS" - which is best?
Do I need an authentication method, or is that just for the mail server to know who I am? (if so I don't care about this, since I can already send email without problems.)
Colen
Posted 2011-05-04T17:31:51.753
Reputation: 872
2
First you need to know if your mail server is capable of or even allows you to send mail through SSL (Secure Sockets Layer) or TLS (Transport Layer Security) modes.
Basically the options break down to this:
None
No encryption on the outgoing emails. They will be sent as plain as day between you and the server.
STARTTLS (formerly TLS in Thunderbird 2)
The mail client will ask the server if it's possible to send through using TLS and if so, use the secure method. If not, silently fail and send through as a normal plain connection.
SSL/TLS (SSL in Thunderbird 2)
Similar to above, but it assumes you can already send through using the secure mode and attempts to do so. If you're not allowed, it will fail and not send. This is the most secure method.
If you're told to use port 465 for outgoing and 995 for incoming then you're likely able to send through SSL.
random
Posted 2011-05-04T17:31:51.753
Reputation: 13 363
3
Its depends on your server's configuration. You cannot just decide to use encryption if your server doesn't support it.
However, this is only about the authentication, and the communication between you and your mail server, the message will be transmitted as plain from your mail server to the next one. so this only concern about preventing someone to steal your password with a "Man in the middle" attack.
If you are concern about the the context of your message to be secured. you will have to encrypt the context of the message. I recommend to use the enigmail plugin (gpg implementation for thunderbird), be aware that the recipient should provide you his public key.
smintz
Posted 2011-05-04T17:31:51.753
Reputation: 1 086
1
+1 for Enigmail. I was in the middle of writing my own recommendation when this one popped in. Links: http://enigmail.mozdev.org/ for the Enigmail plugin, and http://gnupg.org/ for the GnuPG back-end.
– Iszi – 2011-05-04T17:56:02.9732
It all really comes down to what your e-mail provider offers. Some offer encryption out the ears, others practically enforce using Telnet over a 300 baud dial up modem.
Obviously, encryption is a Good Thing. In theory, STARTTLS is worse than SSL/TLS since "STARTTLS" essentially means "use TLS if available" but keeps going if it's not whereas "SSL/TLS" means "use SSL no exceptions."
If your connection is encrypted then you don't need to worry too much about choosing between "Normal Password" and "Encrypted Password." If you test it and find that things don't work anymore with "Encrypted Password" then go back to Normal.
Andrew Lambert
Posted 2011-05-04T17:31:51.753
Reputation: 7 136
1
This answer is wrong. Both methods are equally secure: neither delivers the message if TLS is not available on the server. The difference is only about when TLS is negotiated. See http://forums.mozillazine.org/viewtopic.php?f=39&t=2730845#p12979925
– ARX – 2019-02-21T21:52:32.453Does the security here apply to everything, including actually sending the email? So as long as I have it set to SSL/TLS, I can be sure that my email is being sent securely? – Colen – 2011-05-04T20:01:47.187
This is for the link between your machine and the server. After that, who knows. But look in to PGP as mentioned in smintz's answer. @col – random – 2011-05-04T20:18:20.627