Secure the Email in Your .NET Apps with SSL Email Components
 
Published: 20 Dec 2003
Unedited - Community Contributed
Abstract
Explore the pros and cons of SSL and learn exactly what you need to know to properly build and support an email client application that can send and retrieve email over an SSL encrypted channel. Sample code is also included that will enable you to build SSL-enabled .NET apps within minutes!
by John Alessi
Feedback
Average Rating: This article has not yet been rated.
Views (Total / Last 10 Days): 50008/ 179

Introduction

If you are confused about how to implement security in an email app, you are not alone:  SSL, S/MIME, PGP, certificates, signatures--it all can get quite confusing.  There are many methods of securing email, each with its own strengths, weaknesses, and complexities.  This is the first in a series of articles dealing with email security in which I hope to simplify some of these complexities. 

In this article I will focus on SSL and leave future articles to deal with the other security methods and protocols.  Unlike other information you may have read about SSL, the information presented in this article is from an email developer's perspective. I will explore the pros and cons of SSL and show you exactly what you need to know to properly build and support an email client application that can send and retrieve email over an SSL encrypted channel.   Sample code is also included which will enable you to build SSL-enabled .NET apps within minutes!

In this edition you will learn:

  • How SSL works to safeguard data.
  • How SSL is used to protect email.
  • The benefits of client authentication.
  • 2 critical things you need to know about what SSL will not do.
  • How you can use SSL to safeguard email in your app.
  • Client and server requirements for securing email with SSL.
  • About the bonus protection provided by SSL.
  • What types of apps can benefit from securing email with SSL. 

This edition also contains easy sample code in VB.Net and C# including:

  • Sending a message with SMTP over an SSL connection
  • Retrieving a message from a POP3 server over an SSL connection
  • Retrieving a message from an IMAP4 server over an SSL connection

Introduction

Normal email messages are sent across the Internet in a plain text format.  This leaves the messages susceptible to all sorts of electronic eavesdropping.  SSL enables us to easily secure our email apps while keeping the SSL security invisible to the end user.

Every techie is familiar with SSL (Secure Sockets Layer) to some degree.  SSL is the technology which encrypts data during its transmission to and from a secure website.  All e-commerce applications rely on SSL to ensure that sensitive information, such as credit card numbers, are not transmitted across the public Internet in a manner which can be easily intercepted and decoded by a third party.  SSL is very transparent to the end user, in fact the end user needs to know nothing and do nothing, it just happens, it just works.  That is one of the biggest strengths of SSL - the fact that it is invisible or transparent to the end user.

SSL is transparent to the end user because its functionality is built into the browser and works automatically.  In this article I will show you how to build this same type of automatic, secure functionality into your email apps.

So how does SSL work?  How secure is it and how can it be used to secure email?
SSL - How It Secures Email

SSL works at the socket level.  Sockets are a pair of end-points of a two-way communication link between two programs running on the network.  All TCP/IP communication on the Windows platform uses sockets.  In the email paradigm one of the sockets is used by the email client application and the other by the email server.  These applications usually reside on different systems across the network, however there is nothing preventing them from being on the same system either.  You can think of a socket as a data doorway into and out of an application.  Normal email communications send your email messages out the door in a plain text format.  As the message travels between doorways, it is susceptible to prying eyes.  Electronic eavesdropping applications can easily read the contents of your messages as they travel across the network and gain access to attachments and other message data.  SSL protects your messages by  automatically encrypting the data as it travels between doorways (sockets).  Data is automatically encrypted just before it goes out the door, and automatically decrypted immediately after it enters the door. 
SMTP, POP3, IMAP4, Where Does It All Fit In?

SSL encryption happens at a lower level than the standard Internet email protocols such as SMTP, POP3 and IMAP4.  Because of this, these protocols do not need to be modified to handle connections over an SSL protected channel.  In fact, these protocols are oblivious to the existence or nonexistence of an SSL connection.

 

 

Continue on to learn about the bonus protection SSL offers email applications, caveats,  requirements, sample code and more...

ID Please

SSL also provides the ability for both the client and server to identify themselves and enables applications to prohibit communications with unknown parties.  This is accomplished by digital certificates which are exchanged between the sockets before they are secured.  The entire topic of digital certificates is beyond the scope of this article, however I will touch on it briefly.

During the initialization of the SSL communication, the server sends its certificate to the client.  The server's certificate includes identifying information and also an encryption key which this client should use for the encrypted communication to follow.  The client is able to verify the authenticity of the certificate to prove to itself that it is indeed communicating with the correct mail server, otherwise an error is thrown.

After the client has authenticated the server, the client may also supply a certificate to identify itself.  This step is optional, but its purpose is to enable the server to authenticate the client.  In an email system for example, the server may be configured to only communicate with known clients.  This level of security is not usually implemented because it requires special setup on each client as well as more administrative work on the server, thus negating the transparency of SSL to the end user.  Perhaps as email clients and servers get more robust they might make client authentication easier for the users and administrators.
Bonus Protection

There is a big bonus to using SSL to secure email.  Since SSL encrypts the entire client / server communication, not only the contents of individual email messages, other data sent between client and server, such as account names and passwords are also encrypted and thus protected.  This is really important because what good does it do to encrypt your message in route to the server, only to have your account name and password intercepted and used to gain access to the server itself?
Requirements

To use SSL with email, both the client and the server must have built-in support.  The sample code to follow will show you how to easily include this support into your .Net client applications with just a few lines of code!  The server must also support SSL.  If your mail server does not support SSL, you may be able to use SSL gateway software, or a relay server which supports SSL.  The gateway/relay server accepts mail over an SSL encrypted connection and then passes the data on to your server over a standard unencrypted channel.  If the gateway/relay and your server reside on the same system, or behind the same firewall, most of the benefits of SSL may be retained.  The server will also need a digital certificate for SSL communications which can be obtained from a certificate authority.
Caveats

There are two important things to be aware of when using SSL to secure email.

Caveat One. SSL does an excellent job protecting your data while it travels between application doorways, but its protection ends there - at the doorway.  SSL does not protect data in either application, only on its path between them.  For example, someone who obtains your email account and password may still be able to access your messages on the server, although it should be noted that SSL client authentication, if employed, might make this impossible.  Also, since SSL protects passwords as they are sent across the network, they are virtually impossible to intercept, at least during the encrypted conversation between the client and server.

Caveat Two. As an email message travels across the Internet it will pass through one or more SMTP servers.  For example, if you are at a.com and sending mail to someone at b.com, your message will normally go to the a.com SMTP server first.  The a.com SMTP server will then contact the b.com server and relay the message to it.  If your client application and the a.com SMTP server both support SSL, your client will be able to send secure mail to the a.com server.  However if the b.com server does not support SSL, the a.com server may send the message to the b.com server without encryption.  There may be many servers involved with the delivery of a message, and unless they are all under your control, it will be impossible to ensure that your message is delivered via SSL along the entire path.  Also important to note is that if the recipient's mail client application does not support SSL, your message will be retrieved without SSL protection no matter what.
When Can SSL Help?

After reading the caveats you may be wondering how SSL can help anyway. Actually there are some really good uses for SSL.  Intraorganizational is by far the greatest and best use of SSL email security that I can think of.  SSL email can easily protect intraorganizational communications such as corporate, educational, government, military, healthcare, etc...  This is especially important where confidentiality/privacy concerns are high, in fact recent privacy laws and legislation such as HIPAA may require that certain email communications be encrypted.  

SSL works well in these environments because all of the communication systems can be placed under the central, internal control of the organization.  Intraorganizational mail can be handled by one or more servers which all support SSL.  The servers may be setup to require all incoming connections to be encrypted with SSL, and all mail clients can very easily be configured to connect to their company server via SSL.  

This is a fairly easy situation to implement and administer and will provide excellent email security within the organization.  Communications between Employees, Executives, Board Members, Contractors, those on the road and those working from home are all easily protected by a very high level of security.
Web Mail

If you are building a web mail application or any mail application that gets its data from web forms, etc, you can use the HTTPS protocol so that the data can not be intercepted as it travels between the user's browser and the server.  In this situation the mail client is actually a combination of the browser and web server.  HTTPS (SSL encrypted HTTP) protects data between the browser and the web server, and the web server process can also use SSL over SMTP, POP3, IMAP4, etc... to communicate with the actual mail server, if necessary.

Up Next: Sample Code - and you won't believe how easy this is!
SSL Support for Your App

Adding SSL capabilities to your email application is very simple provided that you have the right set of components to handle the low level details such as certificate exchange, certificate authentication and encryption.  The following samples use EasyMail .Net Edition with the optional SSL plug-in.  The SSL plug-in component enables applications which use EasyMail .Net Edition to send and receive SSL protected email with only a few lines of code.  EasyMail .Net Edition, the SSL plug-in and all the sample code in this issue can be downloaded here.
Sending Mail over an SSL Connection

The following sample code demonstrates how to send Internet email over a secure connection to an SSL enabled SMTP server.

VB.Net Sample
Dim objSMTP As New SMTP
objSMTP.SMTPServers.Add("mail.domain.com", 465)
Dim objSSL As New SSL
objSMTP.Connect(objSSL.GetInterface())
Dim objMessage As New EmailMessage( _
    "recipient@domain.com", "sender@domain.com", _
    "Subject", "Body text", BodyPartFormat.Plain)
objSMTP.Send(objMessage)
objSMTP.Disconnect()
C# Sample
</span></pre><pre><span style="FONT-SIZE: 11pt; COLOR: black; FONT-FAMILY: 'Times New Roman'; mso-bidi-font-size: 10.0pt">SMTP objSMTP = new SMTP();<o:p></o:p></span></pre><pre><span style="FONT-SIZE: 11pt; COLOR: black; FONT-FAMILY: 'Times New Roman'; mso-bidi-font-size: 10.0pt">objSMTP.SMTPServers.Add("mail.domain.com", 465);<o:p></o:p></span></pre><pre><span style="FONT-SIZE: 11pt; COLOR: black; FONT-FAMILY: 'Times New Roman'; mso-bidi-font-size: 10.0pt">SSL objSSL = new SSL();<o:p></o:p></span></pre><pre><span style="FONT-SIZE: 11pt; COLOR: black; FONT-FAMILY: 'Times New Roman'; mso-bidi-font-size: 10.0pt">objSMTP.Connect(objSSL.GetInterface());<o:p></o:p></span></pre><pre><span style="FONT-SIZE: 11pt; COLOR: black; FONT-FAMILY: 'Times New Roman'; mso-bidi-font-size: 10.0pt">EmailMessage objMessage = new EmailMessage(<o:p></o:p></span></pre><pre><span style="FONT-SIZE: 11pt; COLOR: black; FONT-FAMILY: 'Times New Roman'; mso-bidi-font-size: 10.0pt"><span style="mso-tab-count: 1">               </span>"recipient@quiksoft.com", "sender@domain.com", <o:p></o:p></span></pre><pre><span style="FONT-SIZE: 11pt; COLOR: black; FONT-FAMILY: 'Times New Roman'; mso-bidi-font-size: 10.0pt"><span style="mso-tab-count: 1">               </span>"Subject", "Body text", BodyPartFormat.Plain);<o:p></o:p></span></pre><pre><span style="FONT-SIZE: 11pt; COLOR: black; FONT-FAMILY: 'Times New Roman'; mso-bidi-font-size: 10.0pt">objSMTP.Send(objMessage);<o:p></o:p></span></pre><pre><span style="FONT-SIZE: 11pt; COLOR: black; FONT-FAMILY: 'Times New Roman'; mso-bidi-font-size: 10.0pt">objSMTP.Disconnect();<span style="mso-spacerun: yes">   </span><o:p></o:p></span></pre>


<span style="FONT-SIZE: 11pt; FONT-FAMILY: 'Times New Roman'; mso-bidi-font-size: 14.0pt; mso-fareast-font-family: 'Times New Roman'; mso-bidi-font-weight: bold; mso-ansi-language: EN-US; mso-fareast-language: EN-US; mso-bidi-language: AR-SA">

 

Yeah, that's it, pretty easy huh?  Communications with the mail server will take place on port 465 which is the standard port for SMTP data traveling over SSL connections.  The SSL plug-in is interfaced with the SMTP component during the call to Connect(), and the email components take over from there.

Retrieving Mail with POP3 over an SSL Connection

Retrieving mail over a secure connection is just as easy.  The following example uses the EasyMail .Net Edition POP3 component and Parse component with the SSL plug-in.

VB.Net Sample
Dim objPOP3 As New POP3
Dim objSSL As New SSL
objPOP3.Connect("mail.domain.com",
                995, objSSL.GetInterface())
objPOP3.Login("account", "password", AuthMode.Plain)
Dim memoryStream As New MemoryStream
objPOP3.DownloadMessage(1, memoryStream)
memoryStream.Position = 0
Dim msg As New EmailMessage(memoryStream)
Console.WriteLine(msg.Subject)
Console.ReadLine()
[code]
C# Sample
[code language="C#]
POP3 objPOP3 = new POP3();
SSL objSSL = new SSL();
objPOP3.Connect("mail.domain.com",
                995, objSSL.GetInterface());
objPOP3.Login("account", "password", AuthMode.Plain);
MemoryStream memoryStream = new MemoryStream(); 
objPOP3.DownloadMessage(1,memoryStream);
memoryStream.Position=0; 
EmailMessage msg = new EmailMessage(memoryStream);
Console.WriteLine(msg.Subject);
Console.ReadLine();

 

As you can see securely retrieving email from a POP3 server is very easy too.  It is a very simple sample, but the amount of work going on beneath the hood is extreme.  It demonstrates perfectly how EasyMail .Net Edition shields you from the complexities of SSL, POP3, MIME, parsing and much more.  The sample uses the POP3 component to download the first message in the POP account to a memory stream, then parses it and displays the subject.  Communications with the mail server will take place on port 995 which is the standard port for POP3 data traveling over SSL connections.  The SSL plug-in is interfaced with the POP3 component during the call to Connect().  Even I am wondering "Is that it?".  Yeah that's it.  It is amazing how much EasyMail .Net Edition does for you while at the same time EasyMail .Net Edition will enable experienced developers to control and access virtually every aspect of SSL, POP3 and the parsed message.

Retrieving Mail with IMAP3 over an SSL Connection

VB.Net Sample
Dim objIMAP4 As New IMAP4
Dim objSSL As New SSL
objIMAP4.Connect("mail.domain.com",
                 993, objSSL.GetInterface())
objIMAP4.Login("account, "password")
objIMAP4.SelectMailbox("Inbox")
Dim env As Envelope
Dim envelopes As EnvelopeCollection
envelopes = objIMAP4.GetEnvelopes()
For Each env In envelopes
   Console.WriteLine(env.Subject)
Next
objIMAP4.Logout()
Console.ReadLine()
 
 
C# Sample
</span></pre><pre><span style="FONT-SIZE: 11pt; COLOR: black; FONT-FAMILY: 'Times New Roman'; mso-bidi-font-size: 10.0pt">IMAP4 objIMAP4 = new IMAP4();<o:p></o:p></span></pre><pre><span style="FONT-SIZE: 11pt; COLOR: black; FONT-FAMILY: 'Times New Roman'; mso-bidi-font-size: 10.0pt">SSL objSSL = new SSL();<o:p></o:p></span></pre><pre><span style="FONT-SIZE: 11pt; COLOR: black; FONT-FAMILY: 'Times New Roman'; mso-bidi-font-size: 10.0pt">objIMAP4.Connect("mail.domain.com",<o:p></o:p></span></pre><pre><span style="FONT-SIZE: 11pt; COLOR: black; FONT-FAMILY: 'Times New Roman'; mso-bidi-font-size: 10.0pt"><span style="mso-spacerun: yes">                 </span>993, objSSL.GetInterface());<o:p></o:p></span></pre><pre><span style="FONT-SIZE: 11pt; COLOR: black; FONT-FAMILY: 'Times New Roman'; mso-bidi-font-size: 10.0pt">objIMAP4.Login("account","password");<o:p></o:p></span></pre><pre><span style="FONT-SIZE: 11pt; COLOR: black; FONT-FAMILY: 'Times New Roman'; mso-bidi-font-size: 10.0pt">objIMAP4.SelectMailbox("Inbox");<o:p></o:p></span></pre><pre><span style="FONT-SIZE: 11pt; COLOR: black; FONT-FAMILY: 'Times New Roman'; mso-bidi-font-size: 10.0pt">EnvelopeCollection envelopes = objIMAP4.GetEnvelopes();<o:p></o:p></span></pre><pre><span style="FONT-SIZE: 11pt; COLOR: black; FONT-FAMILY: 'Times New Roman'; mso-bidi-font-size: 10.0pt">foreach (Envelope env in envelopes)<o:p></o:p></span></pre><pre><span style="FONT-SIZE: 11pt; COLOR: black; FONT-FAMILY: 'Times New Roman'; mso-bidi-font-size: 10.0pt"><span style="mso-spacerun: yes">   </span>Console.WriteLine(env.Subject);<o:p></o:p></span></pre><pre><span style="FONT-SIZE: 11pt; COLOR: black; FONT-FAMILY: 'Times New Roman'; mso-bidi-font-size: 10.0pt">objIMAP4.Logout();<o:p></o:p></span></pre><pre><span style="FONT-SIZE: 11pt; COLOR: black; FONT-FAMILY: 'Times New Roman'; mso-bidi-font-size: 10.0pt">Console.ReadLine();</span></pre><pre><span style="FONT-SIZE: 11pt; COLOR: black; FONT-FAMILY: 'Times New Roman'; mso-bidi-font-size: 10.0pt">
This example uses the IMAP4 component to make a connection on port 993, the standard port for IMAP communications over SSL.  The example displays the subject of every message found in the "Inbox" without parsing the message, by using the "envelopes" feature of the IMAP component.
Conclusion

SSL is an easy way to secure email messages.  It is most powerful when used to secure intraorganizational email.  With EasyMail .Net Edition and the SSL plug-in, you can quickly and easily build robust .Net email apps that take advantage of all the security SSL has to offer.  The EasyMail .Net Edition SSL plug-in goes far beyond what is demonstrated here and includes support for SSL2, SSL3, TLS1, PCT1, certificate management, client certificates, STARTTLS and much more... 

EasyMail .Net Edition makes sending and retrieving email easy, with or without support for SSL.  If you have not downloaded EasyMail .Net Edition and tried it for yourself, click here and get started now.

I hope you found this article informative and useful.  If you have any questions, comments or suggestions, please let me know. My contact information is below.


John Alessi has specialized in email development for the past 7 years and has helped many large companies such as Microsoft, Boeing and EarthLink with their e-mail needs. He can be reached at john@quiksoftcorp.com.  Quiksoft, founded in 1994, helps companies design and build email systems by providing reliable tools, consulting and programming services.


User Comments

Title: NO TEXT WRAP!   
Name: Stuart Welwood
Date: 2006-02-21 2:07:44 PM
Comment:
The text of this article does not wrap - VERY difficult to read!

Product Spotlight
Product Spotlight 





Community Advice: ASP | SQL | XML | Regular Expressions | Windows


©Copyright 1998-2019 ASPAlliance.com  |  Page Processed at 2019-08-24 11:19:09 PM  AspAlliance Recent Articles RSS Feed
About ASPAlliance | Newsgroups | Advertise | Authors | Email Lists | Feedback | Link To Us | Privacy | Search