Secure SMTP Connection for Roadrunner.com

[David E. Ross]

I have two unrelated E-mail accounts. One account, I setup both to send
(SMTP) and to receive (POP3) through secure server connections (SSL/TLS).

The other account is with Spectrum (aka Time-Warner) with an E-mail
address that uses the roadrunner.com domain. I am able to receive
E-mail through a secure connection, but I cannot send through a secure
connection. I called Spectrum, but they really do not understand what
"secure connection" means.

Does anyone know the correct setup for a secure connection to the SMTP
server? The server is mail.twc.com unless a secure connection requires
a different server.

--
David E. Ross
<http://www.rossde.com/>

When the President of the United States makes a statement of
national importance, I want to see his face as he is talking.
At the least, I want to hear his voice.

Donald: Stop tweeting. Otherwise, how do we know the message
really comes from you?

[Mike Easter]

David E. Ross wrote:
> I have two unrelated E-mail accounts. One account, I setup both to send
> (SMTP) and to receive (POP3) through secure server connections (SSL/TLS).
>
> The other account is with Spectrum (aka Time-Warner) with an E-mail
> address that uses the roadrunner.com domain. I am able to receive
> E-mail through a secure connection, but I cannot send through a secure
> connection. I called Spectrum, but they really do not understand what
> "secure connection" means.
>
> Does anyone know the correct setup for a secure connection to the SMTP
> server? The server is mail.twc.com unless a secure connection requires
> a different server.
>

This page says mail.twc.com

https://www.timewarnercable.com/en/support/faqs/faqs-internet/e-mailacco/incoming-outgoing-server-addresses.html

The user is us...@roadrunner.com, server mail.twc.com, port 587 if I
understand your message and the page correctly.

--
Mike Easter

[David E. Ross]

Port 587 is for an unsecure connection. What is the port for SSL/TLS?

[David E. Ross]

On 1/19/2017 10:09 PM, David E. Ross wrote:
> On 1/19/2017 8:51 PM, Mike Easter wrote:
>> David E. Ross wrote:
>>> I have two unrelated E-mail accounts. One account, I setup both to send
>>> (SMTP) and to receive (POP3) through secure server connections (SSL/TLS).
>>>
>>> The other account is with Spectrum (aka Time-Warner) with an E-mail
>>> address that uses the roadrunner.com domain. I am able to receive
>>> E-mail through a secure connection, but I cannot send through a secure
>>> connection. I called Spectrum, but they really do not understand what
>>> "secure connection" means.
>>>
>>> Does anyone know the correct setup for a secure connection to the SMTP
>>> server? The server is mail.twc.com unless a secure connection requires
>>> a different server.
>>>
>> This page says mail.twc.com
>>
>> https://www.timewarnercable.com/en/support/faqs/faqs-internet/e-mailacco/incoming-outgoing-server-addresses.html
>>
>> The user is us...@roadrunner.com, server mail.twc.com, port 587 if I
>> understand your message and the page correctly.
>>
>
> Port 587 is for an unsecure connection. What is the port for SSL/TLS?
>

And port 465 is the default for SSL/TLS. But when I setup for SMTP to
be SSL/TLS with 465, I cannot connect to the server to send messages.

[David E. Ross]

On 1/19/2017 8:43 PM, David E. Ross wrote:
> I have two unrelated E-mail accounts. One account, I setup both to send
> (SMTP) and to receive (POP3) through secure server connections (SSL/TLS).
>
> The other account is with Spectrum (aka Time-Warner) with an E-mail
> address that uses the roadrunner.com domain. I am able to receive
> E-mail through a secure connection, but I cannot send through a secure
> connection. I called Spectrum, but they really do not understand what
> "secure connection" means.
>
> Does anyone know the correct setup for a secure connection to the SMTP
> server? The server is mail.twc.com unless a secure connection requires
> a different server.
>

Never mind. I found my answer via Google.

For for the SMTP server at mail.twc.com, secure connections require
STARTTLS instead of SSL/TLS. The port is 587, and the password setting
is Normal password.

[Disaster Master]

On 1/20/2017, 1:09:44 AM, David E. Ross <nob...@nowhere.invalid> wrote:

Port 587 is for an unsecure connection.  What is the port for SSL/TLS?

No, port 587 is the modern port used for email submission service, using STARTTLS.

Yes, the very initial connection is unencrypted, but it immediately changes to an encrypted connection before sending credentials.

On 1/20/2017, 1:19:23 AM, David E. Ross <nob...@nowhere.invalid> wrote:

And port 465 is the default for SSL/TLS.  But when I setup for SMTP to
be SSL/TLS with 465, I cannot connect to the server to send messages.

Port 465 is the ancient, deprecated SSL port, long since discouraged for email use. The only clients that do not work with STARTT are the old Outlook Express, and one of the older Outlooks.

All modern email clients support the submission service (port 587 using STARTTLS).

[Wolf K.]

On 2017-01-19 23:43, David E. Ross wrote:
> I have two unrelated E-mail accounts. One account, I setup both to send
> (SMTP) and to receive (POP3) through secure server connections (SSL/TLS).
>
> The other account is with Spectrum (aka Time-Warner) with an E-mail
> address that uses the roadrunner.com domain. I am able to receive
> E-mail through a secure connection, but I cannot send through a secure
> connection. I called Spectrum, but they really do not understand what
> "secure connection" means.
>
> Does anyone know the correct setup for a secure connection to the SMTP
> server? The server is mail.twc.com unless a secure connection requires
> a different server.

If it doesn't ask you to set a secure connection, it doesn't use one.

--
Wolf K.
https://kirkwood40.blogspot.com
It's called "opinion" because it's not knowledge.

[Wolf K.]

On 2017-01-20 01:19, David E. Ross wrote:
> And port 465 is the default for SSL/TLS. But when I setup for SMTP to
> be SSL/TLS with 465, I cannot connect to the server to send messages.

.... which means it doesn't use a secure connection.

[Wolf K.]

On 2017-01-20 01:47, David E. Ross wrote:
> On 1/19/2017 8:43 PM, David E. Ross wrote:
>> I have two unrelated E-mail accounts. One account, I setup both to send
>> (SMTP) and to receive (POP3) through secure server connections (SSL/TLS).
>>
>> The other account is with Spectrum (aka Time-Warner) with an E-mail
>> address that uses the roadrunner.com domain. I am able to receive
>> E-mail through a secure connection, but I cannot send through a secure
>> connection. I called Spectrum, but they really do not understand what
>> "secure connection" means.
>>
>> Does anyone know the correct setup for a secure connection to the SMTP
>> server? The server is mail.twc.com unless a secure connection requires
>> a different server.
>>
>
> Never mind. I found my answer via Google.
>
> For for the SMTP server at mail.twc.com, secure connections require
> STARTTLS instead of SSL/TLS. The port is 587, and the password setting
> is Normal password.

.... which means that as usual, the lack of uniform standards for setting
up the secure connection messed you up (and me too: my answers assumed
you'd tried all methods already.)

[Disaster Master]

On Fri Jan 20 2017 10:09:52 GMT-0500 (Eastern Standard Time), Wolf K. <wol...@sympatico.ca> wrote:

On 2017-01-20 01:19, David E. Ross wrote:

And port 465 is the default for SSL/TLS.  But when I setup for SMTP to
be SSL/TLS with 465, I cannot connect to the server to send messages.

.... which means it doesn't use a secure connection.

No, it just means it doesn't support the ancient/deprecated wrapper-mode (SSL on port 465).

You should always try the proper submission service first, then complain loudly if they don't support it but do support the ancient/deprecated wrapper-mode service. Most providers I've ever used support both.

I still don't understand why Office365 and GMail prefer IMAPS (port 993 with SSL).

[Disaster Master]

On Fri Jan 20 2017 10:11:37 GMT-0500 (Eastern Standard Time), Wolf K. <wol...@sympatico.ca> wrote:

On 2017-01-20 01:47, David E. Ross wrote:

For for the SMTP server at mail.twc.com, secure connections require
STARTTLS instead of SSL/TLS.  The port is 587, and the password setting
is Normal password.

.... which means that as usual, the lack of uniform standards for setting 
up the secure connection messed you up (and me too: my answers assumed 
you'd tried all methods already.)

?

Just as STARTTLS on port 143 (for IMAP) is the standard, STARTTLS on Port 587 is the standard for SMTP submission service, and has been for a very long time.

The problem is providers are slow to follow the standards, or especially to enforce them.

[Wolf K.]

On 2017-01-20 10:50, Disaster Master wrote:
> On Fri Jan 20 2017 10:11:37 GMT-0500 (Eastern Standard Time), Wolf K.
> <wol...@sympatico.ca> wrote:
>> On 2017-01-20 01:47, David E. Ross wrote:
>>> For for the SMTP server at mail.twc.com, secure connections require
>>> STARTTLS instead of SSL/TLS. The port is 587, and the password setting
>>> is Normal password.
>> .... which means that as usual, the lack of uniform standards for setting
>> up the secure connection messed you up (and me too: my answers assumed
>> you'd tried all methods already.)
>
> ?
>
> Just as STARTTLS on port 143 (for IMAP) is the standard, STARTTLS on
> Port 587 is the standard for SMTP submission service, and has been for a
> very long time.

Yeah, but SSL and TLS and SSL/TLS are all still used.

> The problem is providers are slow to follow the standards, or especially
> to enforce them.

Indeed. In my lexicon, it's not a standard if people don't follow it.

There's no point leaving it up to the providers to "enforce" the
standards. They're focussed on dollars, not customers.

Have a good day,

[David E. Ross]

The bigger problem is that the techical support personnel at service
providers simply do not know what SSL/TLS or STARTTLS are.

[Disaster Master]

On Fri Jan 20 2017 11:39:11 GMT-0500 (Eastern Standard Time), David E. Ross <nob...@nowhere.invalid> wrote:

The bigger problem is that the techical support personnel at service
providers simply do not know what SSL/TLS or STARTTLS are.

I don't understand people who insist on making such blanket statements that are untrue on their face.

Like anythings else, some providers are better than others, most if not all will have some that are good and some that are bad, some vette their support people very well, so most if not all of those will have a decent understanding of these protocols.

[Christian Riechers]

On 01/20/2017 04:21 PM, Disaster Master wrote:
> On Fri Jan 20 2017 10:09:52 GMT-0500 (Eastern Standard Time), Wolf K.
> <wol...@sympatico.ca> wrote:
>> On 2017-01-20 01:19, David E. Ross wrote:
>>> And port 465 is the default for SSL/TLS. But when I setup for SMTP to
>>> be SSL/TLS with 465, I cannot connect to the server to send messages.
>> .... which means it doesn't use a secure connection.
>
> No, it just means it doesn't support the ancient/deprecated wrapper-mode
> (SSL on port 465).

Deprecated wrapper-mode?
Are you sure you know what you're talking about?

[king daddy 2]

On 1/19/2017 11:43 PM, David E. Ross wrote:
> I have two unrelated E-mail accounts. One account, I setup both to send
> (SMTP) and to receive (POP3) through secure server connections (SSL/TLS).
>
> The other account is with Spectrum (aka Time-Warner) with an E-mail
> address that uses the roadrunner.com domain. I am able to receive
> E-mail through a secure connection, but I cannot send through a secure
> connection. I called Spectrum, but they really do not understand what
> "secure connection" means.
>
> Does anyone know the correct setup for a secure connection to the SMTP
> server? The server is mail.twc.com unless a secure connection requires
> a different server.
>

I have three earthlink accounts and send with smtpauth.earthlink.net

I have one TimeWarner account, using pop-server.nc.rr.com
(Also use it for texting)
and send using the earthlink SMTPAUTH.

Carl

[Disaster Master]

On Sat Jan 21 2017 02:58:37 GMT-0500 (Eastern Standard Time), Christian Riechers <chrie...@netscape.net.invalid> wrote:

On 01/20/2017 04:21 PM, Disaster Master wrote:

On Fri Jan 20 2017 10:09:52 GMT-0500 (Eastern Standard Time), Wolf K.
<wol...@sympatico.ca> wrote:

On 2017-01-20 01:19, David E. Ross wrote:

And port 465 is the default for SSL/TLS.  But when I setup for SMTP to
be SSL/TLS with 465, I cannot connect to the server to send messages.

.... which means it doesn't use a secure connection.

No, it just means it doesn't support the ancient/deprecated wrapper-mode
(SSL on port 465).

Deprecated wrapper-mode?
Are you sure you know what you're talking about?

Yes...

http://www.postfix.org/TLS_README.html#server_enable

[Disaster Master]

On 1/23/2017, 11:23:22 AM, Disaster Master <disasterl...@gmail.com> wrote:

On Sat Jan 21 2017 02:58:37 GMT-0500 (Eastern Standard Time), Christian Riechers <chrie...@netscape.net.invalid> wrote:

On 01/20/2017 04:21 PM, Disaster Master wrote:

On Fri Jan 20 2017 10:09:52 GMT-0500 (Eastern Standard Time), Wolf K.
<wol...@sympatico.ca> wrote:

On 2017-01-20 01:19, David E. Ross wrote:

And port 465 is the default for SSL/TLS.  But when I setup for SMTP to
be SSL/TLS with 465, I cannot connect to the server to send messages.

.... which means it doesn't use a secure connection.

No, it just means it doesn't support the ancient/deprecated wrapper-mode
(SSL on port 465).

Deprecated wrapper-mode?
Are you sure you know what you're talking about?

Yes...

http://www.postfix.org/TLS_README.html#server_enable

Oh, meant to include the bit that refers to it as deprecated:

http://www.postfix.org/TLS_README.html#client_smtps

[Christian Riechers]

>From your link I fail to see how TLS using port 465 is
ancient/deprecated, and why Postfix calls it 'wrapper-mode'
in the first place. Perhaps you can enlighten me?

STARTTLS is less secure than TLS. Not only can it failback to plaintext
without notification, it's also subject to man-in-the middle attacks.

Even though not all email providers may offer TLS using port 465, I'd
always prefer it over STARTTLS if it's available.
In case you haven't noticed, Google is one of the providers supporting it.

[Disaster Master]

On Mon Jan 23 2017 16:35:32 GMT-0500 (Eastern Standard Time), Christian Riechers <chrie...@netscape.net.invalid> wrote:

>From your link I fail to see how TLS using port 465 is
ancient/deprecated,

It is ancient because it originated in 1997, twenty years ago.

Port 465 is now registered with the IANA for 'Source-Specific Multicast audio and video'.

https://en.wikipedia.org/wiki/SMTPS

and why Postfix calls it 'wrapper-mode'
in the first place. Perhaps you can enlighten me?

Google is your friend, but I also followed up with another reference from the same docs, did you miss it?

Anyway, why take my word for it?

http://lmgtfy.com/?q=port+465+wrapper+mode+SSL+deprecated

STARTTLS is less secure than TLS.

This is blatantly false.

http://lmgtfy.com/?q=is+starttls+less+secure+than+SSL%2FTLS%3F

Not only can it failback to plaintext without notification,

Only if improperly configured on the server.

it's also subject to man-in-the middle attacks.

Again, only if the client is improperly configured to allow fallback to plaintext.

As long as both server and client are configured to require encryption, it is not subject to a man in the middle attack.

Fyi, port 465 can also be configured to allow plaintext.

Even though not all email providers may offer TLS using port 465, I'd
always prefer it over STARTTLS if it's available.
In case you haven't noticed, Google is one of the providers supporting it.

They support both, but only because it is 'easier', and only because there are a lot of people who don't understand these things and incorrectly believe that port 465/wrapper-mode SSL is 'the way'.

[Christian Riechers]

On 01/24/2017 04:18 PM, Disaster Master wrote:
> On Mon Jan 23 2017 16:35:32 GMT-0500 (Eastern Standard Time), Christian
> Riechers <chrie...@netscape.net.invalid> wrote:
>> On 01/23/2017 05:23 PM, Disaster Master wrote:
>>> On Sat Jan 21 2017 02:58:37 GMT-0500 (Eastern Standard Time), Christian
>>> Riechers <chrie...@netscape.net.invalid> wrote:
>>>> On 01/20/2017 04:21 PM, Disaster Master wrote:
>>>>> No, it just means it doesn't support the ancient/deprecated wrapper-mode
>>>>> (SSL on port 465).
>>>> Deprecated wrapper-mode?
>>>> Are you sure you know what you're talking about?
>>> Yes...
>>>
>>> http://www.postfix.org/TLS_README.html#server_enable
>> From your link I fail to see how TLS using port 465 is
>> ancient/deprecated,

[snip]

> Port 465 is now registered with the IANA for 'Source-Specific Multicast
> audio and video'.

I didn't know that.

[snip]

>> STARTTLS is less secure than TLS.
>
> This is blatantly false.
>
> http://lmgtfy.com/?q=is+starttls+less+secure+than+SSL%2FTLS%3F

Very funny. I know how to use Google. The thing is, posting a search
query link will give different results to every one who clicks the link.

The first relevant result I get from your query is this:
http://serverfault.com/questions/523804/is-starttls-more-safe-than-tls-ssl

Please read it.

>> Not only can it failback to plaintext without notification,
>
> Only if improperly configured on the server.
>
>> it's also subject to man-in-the middle attacks.
>
> Again, only if the client is improperly configured to allow fallback to
> plaintext.

That isn't the point. In any case, I suppose there are also improperly
configured servers.

> As long as both server and client are configured to require encryption,
> it is not subject to a man in the middle attack.

When a client initially connects to a server in plain text, this is
inherently vulnerable to a man in the middle attack.

The problem is not limited to potential fallback to a plaintext
conversation, but also to connecting to a malicious server.

> Fyi, port 465 can also be configured to allow plaintext.

I don't see any reason why anyone would want to do that.

>> Even though not all email providers may offer TLS using port 465, I'd
>> always prefer it over STARTTLS if it's available.
>> In case you haven't noticed, Google is one of the providers supporting it.
>
> They support both, but only because it is 'easier', and only because
> there are a lot of people who don't understand these things and
> incorrectly believe that port 465/wrapper-mode SSL is 'the way'.

It certainly is 'the way' for me as long as the server offers it.

[Disaster Master]

On 1/28/2017, 6:23:31 AM, Christian Riechers <chrie...@netscape.net.invalid> wrote:

On 01/24/2017 04:18 PM, Disaster Master wrote:

On Mon Jan 23 2017 16:35:32 GMT-0500 (Eastern Standard Time), Christian
Riechers <chrie...@netscape.net.invalid> wrote:

On 01/23/2017 05:23 PM, Disaster Master wrote:

On Sat Jan 21 2017 02:58:37 GMT-0500 (Eastern Standard Time), Christian
Riechers <chrie...@netscape.net.invalid> wrote:

On 01/20/2017 04:21 PM, Disaster Master wrote:

No, it just means it doesn't support the ancient/deprecated wrapper-mode
(SSL on port 465).

Deprecated wrapper-mode?
Are you sure you know what you're talking about?

Yes...

http://www.postfix.org/TLS_README.html#server_enable

From your link I fail to see how TLS using port 465 is
ancient/deprecated,

[snip]

Port 465 is now registered with the IANA for 'Source-Specific Multicast
audio and video'.

I didn't know that.

This has been the case for a very long time - almost 2 decades (since 1999) in fact - hence, 'ancient', as anyone who manages a mail server professionally has (or should have) been well aware of.

STARTTLS is less secure than TLS.

This is blatantly false.

http://lmgtfy.com/?q=is+starttls+less+secure+than+SSL%2FTLS%3F

The first relevant result I get from your query is this:

http://serverfault.com/questions/523804/is-starttls-more-safe-than-tls-ssl

Please read it.

It was on the list of results in my link, and it is an old argument that I am well aware of.

If you read it, it plainly states that in order for STARTTLS to be 'less secure', both the server AND client MUST be IMPROPERLY configured.

If both the server and client are configured to enforce encryption - which the submission service preconfigured (but disabled by default) in postfix is - then the argument fails.

So, your blanket condemnation of STARTTLS is blatantly false, stands.

As long as both server and client are configured to require encryption,
it is not subject to a man in the middle attack.

When a client initially connects to a server in plain text, this is
inherently vulnerable to a man in the middle attack.

And if port 465 is improperly configured to allow plaintext, it is similarly vulnerable.

The problem is not limited to potential fallback to a plaintext
conversation, but also to connecting to a malicious server.

If a server has been compromised to the point that connection to smtp.example.com goes to a malicious server, then it doesn't matter what port is being used.

Only a server that requires the use of TLS certificates is immune to such a problem, but again, only if properly configured.

As I have said, it all boils down to proper configuration, and the server configuration is the first and most important step.

Fyi, port 465 can also be configured to allow plaintext.

I don't see any reason why anyone would want to do that.

And I don't see any reason why anyone responsible for configuring SMTP AUTH on a server would not require encryption on port 587.

Server side, I'd say the only possibles are ignorance, incompetence, or just a simple mistake. Client side, it would be more ignorance or mistake.

The reality is, the arguments/problems you are relying on to justify your choice to use a deprecated model are the exact same issues with respect to 'opportunistic encryption' on port 25, but they just don't apply in that case, and are invalidated by a properly configured server (and made even more secure by a properly configured client in the case of SMTP submission service.

That said, there is a legitimate enough of a concern that mail clients should make it IMPOSSIBLE to fall back to plaintext when using port 587+STARTTLS, just as Thunderbird did some time ago (in 2009/2010), when they removed the option entirely.

Which brings us to the last question on this issue...

If you are using a client that allows what should be a secure connection to fallback to plaintext when it shouldn't, whether intentionally through a configuration choice, or unintentionally (through faulty coding), whose fault is that?