Msen is using a self-signed SSL certificate to provide the option of Transport Layer Security (TLS) encryption of email as it passes from the client's machine to our servers. This certificate has not been signed by a certificate authority that is recognized by standard web browsers. It is a self-signed certificate, intended to provide encryption only, not validation. Since email by nature is handled by many machines, of which only some we have control, TLS cannot guarantee privacy from sender to reader. TLS can only protect the "first hop" if enabled. Therefore, Msen will not spend the hundreds of dollars per year necessary for "trusted certificates" on all mail machines.
This TLS security is to be considered casual encryption of from an Msen mail server to your PC. It did/can not cover the entire conversation from sender to recipient. The only protection it provides is from sniffers on the ethernet/phone line. To get complete protection, it needs to be used in conjunction with PGP, which encrypts the contents of the message.
If you wish to use:TLS/SSL encryption in your IMAP/POP3/SMTP conversations with Msen, you will need to install the following Root Authority Certificate that Msen has self signed and will cover all the certificates on Msen's machines.
Installation:Cautious users: Click on save, and write the file to disk. The filename will be "MsenCAcert.der" or "MsenCAcert.pem" depending on the browser type. Then open the file with a text editor like Notepad, to check that this is an actual security certificate. It will be a text file containing a certificate header, trailer, and 33 rows times 64 characters of text characters. You may need to turn word wrap on. Once you are happy it is not a virus, exit Notepad, and right click on the file, selecting "Install Certificate". It will start the "Certificate Import Wizard".
Trusting Users: Click on open, and the "Certificate Import Wizard" will begin.
Following the defaults options presented, the certificate will be placed in the "Trusted Root Certificates" section of Tools->Internet Options->Content->Certificates for Internet Explorer and Tools->Options->Security->Secure-Mail-Digital-IDs for Outlook Express. After that, Msen will be trusted my those two programs as much as Verisign is.
Putting them to use:In Outlook Express for the Mail account properties, set your options to the following with your username and servers set to your particular account.
If you are on a cable modem or in a hotel that blocks port 25 for outgoing
email, you can use the Port 587 Mail Submission protocol for SMTP. It requires
you to send your username/password to the server to authenticate the connection.
Microsoft Outlook Express cannot seem to get 587 SMTP-AUTH and TLS/SSL working
together, so you need to set your settings to what is below to make it work.
Using TLS/SSL protects your userid/password when sent across the network for the mail protocols. The non-SSL version of the protocols send the passwords in the clear across the wire. To achieve complete email privacy, use SSL/TLS to protect your passwords, and PGP to protect the content of the message.
The Signing Authority will show as us:
Msen - Self signed certificate - encryption only - no validation
Mail Encryption Services, See http://www.msen.com/g/TLS.html
on a certificate like:
Email headers will contain an extra line in the Received: section. An example follows.