If you are confused about how to implement security in an email app, you are not alone: SSL, S/MIME, PGP, certificates, signatures--it all can get quite confusing. There are many methods of securing email, each with its own strengths, weaknesses, and complexities. This is the first in a series of articles dealing with email security in which I hope to simplify some of these complexities.
In this article I will focus on SSL and leave future articles to deal with the other security methods and protocols. Unlike other information you may have read about SSL, the information presented in this article is from an email developer's perspective. I will explore the pros and cons of SSL and show you exactly what you need to know to properly build and support an email client application that can send and retrieve email over an SSL encrypted channel. Sample code is also included which will enable you to build SSL-enabled .NET apps within minutes!
In this edition you will learn:
This edition also contains easy sample code in VB.Net and C# including:
Introduction
Normal email messages are sent across the Internet in a plain text format. This leaves the messages susceptible to all sorts of electronic eavesdropping. SSL enables us to easily secure our email apps while keeping the SSL security invisible to the end user.
Every techie is familiar with SSL (Secure Sockets Layer) to some degree. SSL is the technology which encrypts data during its transmission to and from a secure website. All e-commerce applications rely on SSL to ensure that sensitive information, such as credit card numbers, are not transmitted across the public Internet in a manner which can be easily intercepted and decoded by a third party. SSL is very transparent to the end user, in fact the end user needs to know nothing and do nothing, it just happens, it just works. That is one of the biggest strengths of SSL - the fact that it is invisible or transparent to the end user.
SSL is transparent to the end user because its functionality is built into the browser and works automatically. In this article I will show you how to build this same type of automatic, secure functionality into your email apps.
SSL encryption happens at a lower level than the standard Internet email protocols such as SMTP, POP3 and IMAP4. Because of this, these protocols do not need to be modified to handle connections over an SSL protected channel. In fact, these protocols are oblivious to the existence or nonexistence of an SSL connection.
Continue on to learn about the bonus protection SSL offers email applications, caveats, requirements, sample code and more...
SSL also provides the ability for both the client and server to identify themselves and enables applications to prohibit communications with unknown parties. This is accomplished by digital certificates which are exchanged between the sockets before they are secured. The entire topic of digital certificates is beyond the scope of this article, however I will touch on it briefly.
During the initialization of the SSL communication, the server sends its certificate to the client. The server's certificate includes identifying information and also an encryption key which this client should use for the encrypted communication to follow. The client is able to verify the authenticity of the certificate to prove to itself that it is indeed communicating with the correct mail server, otherwise an error is thrown.
There are two important things to be aware of when using SSL to secure email.
Caveat One. SSL does an excellent job protecting your data while it travels between application doorways, but its protection ends there - at the doorway. SSL does not protect data in either application, only on its path between them. For example, someone who obtains your email account and password may still be able to access your messages on the server, although it should be noted that SSL client authentication, if employed, might make this impossible. Also, since SSL protects passwords as they are sent across the network, they are virtually impossible to intercept, at least during the encrypted conversation between the client and server.
After reading the caveats you may be wondering how SSL can help anyway. Actually there are some really good uses for SSL. Intraorganizational is by far the greatest and best use of SSL email security that I can think of. SSL email can easily protect intraorganizational communications such as corporate, educational, government, military, healthcare, etc... This is especially important where confidentiality/privacy concerns are high, in fact recent privacy laws and legislation such as HIPAA may require that certain email communications be encrypted.
SSL works well in these environments because all of the communication systems can be placed under the central, internal control of the organization. Intraorganizational mail can be handled by one or more servers which all support SSL. The servers may be setup to require all incoming connections to be encrypted with SSL, and all mail clients can very easily be configured to connect to their company server via SSL.
If you are building a web mail application or any mail application that gets its data from web forms, etc, you can use the HTTPS protocol so that the data can not be intercepted as it travels between the user's browser and the server. In this situation the mail client is actually a combination of the browser and web server. HTTPS (SSL encrypted HTTP) protects data between the browser and the web server, and the web server process can also use SSL over SMTP, POP3, IMAP4, etc... to communicate with the actual mail server, if necessary.
The following sample code demonstrates how to send Internet email over a secure connection to an SSL enabled SMTP server.
VB.Net Sample
Dim objSMTP As New SMTP
objSMTP.SMTPServers.Add("mail.domain.com", 465)
Dim objSSL As New SSL
objSMTP.Connect(objSSL.GetInterface())
Dim objMessage As New EmailMessage( _
"recipient@domain.com", "sender@domain.com", _
"Subject", "Body text", BodyPartFormat.Plain)
objSMTP.Send(objMessage)
objSMTP.Disconnect()
C# Sample
</span></pre><pre><span style="FONT-SIZE: 11pt; COLOR: black; FONT-FAMILY: 'Times New Roman'; mso-bidi-font-size: 10.0pt">SMTP objSMTP = new SMTP();<o:p></o:p></span></pre><pre><span style="FONT-SIZE: 11pt; COLOR: black; FONT-FAMILY: 'Times New Roman'; mso-bidi-font-size: 10.0pt">objSMTP.SMTPServers.Add("mail.domain.com", 465);<o:p></o:p></span></pre><pre><span style="FONT-SIZE: 11pt; COLOR: black; FONT-FAMILY: 'Times New Roman'; mso-bidi-font-size: 10.0pt">SSL objSSL = new SSL();<o:p></o:p></span></pre><pre><span style="FONT-SIZE: 11pt; COLOR: black; FONT-FAMILY: 'Times New Roman'; mso-bidi-font-size: 10.0pt">objSMTP.Connect(objSSL.GetInterface());<o:p></o:p></span></pre><pre><span style="FONT-SIZE: 11pt; COLOR: black; FONT-FAMILY: 'Times New Roman'; mso-bidi-font-size: 10.0pt">EmailMessage objMessage = new EmailMessage(<o:p></o:p></span></pre><pre><span style="FONT-SIZE: 11pt; COLOR: black; FONT-FAMILY: 'Times New Roman'; mso-bidi-font-size: 10.0pt"><span style="mso-tab-count: 1"> </span>"recipient@quiksoft.com", "sender@domain.com", <o:p></o:p></span></pre><pre><span style="FONT-SIZE: 11pt; COLOR: black; FONT-FAMILY: 'Times New Roman'; mso-bidi-font-size: 10.0pt"><span style="mso-tab-count: 1"> </span>"Subject", "Body text", BodyPartFormat.Plain);<o:p></o:p></span></pre><pre><span style="FONT-SIZE: 11pt; COLOR: black; FONT-FAMILY: 'Times New Roman'; mso-bidi-font-size: 10.0pt">objSMTP.Send(objMessage);<o:p></o:p></span></pre><pre><span style="FONT-SIZE: 11pt; COLOR: black; FONT-FAMILY: 'Times New Roman'; mso-bidi-font-size: 10.0pt">objSMTP.Disconnect();<span style="mso-spacerun: yes"> </span><o:p></o:p></span></pre> <span style="FONT-SIZE: 11pt; FONT-FAMILY: 'Times New Roman'; mso-bidi-font-size: 14.0pt; mso-fareast-font-family: 'Times New Roman'; mso-bidi-font-weight: bold; mso-ansi-language: EN-US; mso-fareast-language: EN-US; mso-bidi-language: AR-SA"> Yeah, that's it, pretty easy huh? Communications with the mail server will take place on port 465 which is the standard port for SMTP data traveling over SSL connections. The SSL plug-in is interfaced with the SMTP component during the call to Connect(), and the email components take over from there.
</span></pre><pre><span style="FONT-SIZE: 11pt; COLOR: black; FONT-FAMILY: 'Times New Roman'; mso-bidi-font-size: 10.0pt">SMTP objSMTP = new SMTP();<o:p></o:p></span></pre><pre><span style="FONT-SIZE: 11pt; COLOR: black; FONT-FAMILY: 'Times New Roman'; mso-bidi-font-size: 10.0pt">objSMTP.SMTPServers.Add("mail.domain.com", 465);<o:p></o:p></span></pre><pre><span style="FONT-SIZE: 11pt; COLOR: black; FONT-FAMILY: 'Times New Roman'; mso-bidi-font-size: 10.0pt">SSL objSSL = new SSL();<o:p></o:p></span></pre><pre><span style="FONT-SIZE: 11pt; COLOR: black; FONT-FAMILY: 'Times New Roman'; mso-bidi-font-size: 10.0pt">objSMTP.Connect(objSSL.GetInterface());<o:p></o:p></span></pre><pre><span style="FONT-SIZE: 11pt; COLOR: black; FONT-FAMILY: 'Times New Roman'; mso-bidi-font-size: 10.0pt">EmailMessage objMessage = new EmailMessage(<o:p></o:p></span></pre><pre><span style="FONT-SIZE: 11pt; COLOR: black; FONT-FAMILY: 'Times New Roman'; mso-bidi-font-size: 10.0pt"><span style="mso-tab-count: 1"> </span>"recipient@quiksoft.com", "sender@domain.com", <o:p></o:p></span></pre><pre><span style="FONT-SIZE: 11pt; COLOR: black; FONT-FAMILY: 'Times New Roman'; mso-bidi-font-size: 10.0pt"><span style="mso-tab-count: 1"> </span>"Subject", "Body text", BodyPartFormat.Plain);<o:p></o:p></span></pre><pre><span style="FONT-SIZE: 11pt; COLOR: black; FONT-FAMILY: 'Times New Roman'; mso-bidi-font-size: 10.0pt">objSMTP.Send(objMessage);<o:p></o:p></span></pre><pre><span style="FONT-SIZE: 11pt; COLOR: black; FONT-FAMILY: 'Times New Roman'; mso-bidi-font-size: 10.0pt">objSMTP.Disconnect();<span style="mso-spacerun: yes"> </span><o:p></o:p></span></pre> <span style="FONT-SIZE: 11pt; FONT-FAMILY: 'Times New Roman'; mso-bidi-font-size: 14.0pt; mso-fareast-font-family: 'Times New Roman'; mso-bidi-font-weight: bold; mso-ansi-language: EN-US; mso-fareast-language: EN-US; mso-bidi-language: AR-SA">
Yeah, that's it, pretty easy huh? Communications with the mail server will take place on port 465 which is the standard port for SMTP data traveling over SSL connections. The SSL plug-in is interfaced with the SMTP component during the call to Connect(), and the email components take over from there.
Retrieving mail over a secure connection is just as easy. The following example uses the EasyMail .Net Edition POP3 component and Parse component with the SSL plug-in.
Dim objPOP3 As New POP3
objPOP3.Connect("mail.domain.com",
995, objSSL.GetInterface())
objPOP3.Login("account", "password", AuthMode.Plain)
Dim memoryStream As New MemoryStream
objPOP3.DownloadMessage(1, memoryStream)
memoryStream.Position = 0
Dim msg As New EmailMessage(memoryStream)
Console.WriteLine(msg.Subject)
Console.ReadLine()
[code]
[code language="C#]
POP3 objPOP3 = new POP3();
SSL objSSL = new SSL();
995, objSSL.GetInterface());
objPOP3.Login("account", "password", AuthMode.Plain);
MemoryStream memoryStream = new MemoryStream();
objPOP3.DownloadMessage(1,memoryStream);
memoryStream.Position=0;
EmailMessage msg = new EmailMessage(memoryStream);
Console.WriteLine(msg.Subject);
Console.ReadLine();
As you can see securely retrieving email from a POP3 server is very easy too. It is a very simple sample, but the amount of work going on beneath the hood is extreme. It demonstrates perfectly how EasyMail .Net Edition shields you from the complexities of SSL, POP3, MIME, parsing and much more. The sample uses the POP3 component to download the first message in the POP account to a memory stream, then parses it and displays the subject. Communications with the mail server will take place on port 995 which is the standard port for POP3 data traveling over SSL connections. The SSL plug-in is interfaced with the POP3 component during the call to Connect(). Even I am wondering "Is that it?". Yeah that's it. It is amazing how much EasyMail .Net Edition does for you while at the same time EasyMail .Net Edition will enable experienced developers to control and access virtually every aspect of SSL, POP3 and the parsed message.
Dim objIMAP4 As New IMAP4
objIMAP4.Connect("mail.domain.com",
993, objSSL.GetInterface())
objIMAP4.Login("account, "password")
objIMAP4.SelectMailbox("Inbox")
Dim env As Envelope
Dim envelopes As EnvelopeCollection
envelopes = objIMAP4.GetEnvelopes()
For Each env In envelopes
Console.WriteLine(env.Subject)
Next
objIMAP4.Logout()
</span></pre><pre><span style="FONT-SIZE: 11pt; COLOR: black; FONT-FAMILY: 'Times New Roman'; mso-bidi-font-size: 10.0pt">IMAP4 objIMAP4 = new IMAP4();<o:p></o:p></span></pre><pre><span style="FONT-SIZE: 11pt; COLOR: black; FONT-FAMILY: 'Times New Roman'; mso-bidi-font-size: 10.0pt">SSL objSSL = new SSL();<o:p></o:p></span></pre><pre><span style="FONT-SIZE: 11pt; COLOR: black; FONT-FAMILY: 'Times New Roman'; mso-bidi-font-size: 10.0pt">objIMAP4.Connect("mail.domain.com",<o:p></o:p></span></pre><pre><span style="FONT-SIZE: 11pt; COLOR: black; FONT-FAMILY: 'Times New Roman'; mso-bidi-font-size: 10.0pt"><span style="mso-spacerun: yes"> </span>993, objSSL.GetInterface());<o:p></o:p></span></pre><pre><span style="FONT-SIZE: 11pt; COLOR: black; FONT-FAMILY: 'Times New Roman'; mso-bidi-font-size: 10.0pt">objIMAP4.Login("account","password");<o:p></o:p></span></pre><pre><span style="FONT-SIZE: 11pt; COLOR: black; FONT-FAMILY: 'Times New Roman'; mso-bidi-font-size: 10.0pt">objIMAP4.SelectMailbox("Inbox");<o:p></o:p></span></pre><pre><span style="FONT-SIZE: 11pt; COLOR: black; FONT-FAMILY: 'Times New Roman'; mso-bidi-font-size: 10.0pt">EnvelopeCollection envelopes = objIMAP4.GetEnvelopes();<o:p></o:p></span></pre><pre><span style="FONT-SIZE: 11pt; COLOR: black; FONT-FAMILY: 'Times New Roman'; mso-bidi-font-size: 10.0pt">foreach (Envelope env in envelopes)<o:p></o:p></span></pre><pre><span style="FONT-SIZE: 11pt; COLOR: black; FONT-FAMILY: 'Times New Roman'; mso-bidi-font-size: 10.0pt"><span style="mso-spacerun: yes"> </span>Console.WriteLine(env.Subject);<o:p></o:p></span></pre><pre><span style="FONT-SIZE: 11pt; COLOR: black; FONT-FAMILY: 'Times New Roman'; mso-bidi-font-size: 10.0pt">objIMAP4.Logout();<o:p></o:p></span></pre><pre><span style="FONT-SIZE: 11pt; COLOR: black; FONT-FAMILY: 'Times New Roman'; mso-bidi-font-size: 10.0pt">Console.ReadLine();</span></pre><pre><span style="FONT-SIZE: 11pt; COLOR: black; FONT-FAMILY: 'Times New Roman'; mso-bidi-font-size: 10.0pt">
SSL is an easy way to secure email messages. It is most powerful when used to secure intraorganizational email. With EasyMail .Net Edition and the SSL plug-in, you can quickly and easily build robust .Net email apps that take advantage of all the security SSL has to offer. The EasyMail .Net Edition SSL plug-in goes far beyond what is demonstrated here and includes support for SSL2, SSL3, TLS1, PCT1, certificate management, client certificates, STARTTLS and much more...
EasyMail .Net Edition makes sending and retrieving email easy, with or without support for SSL. If you have not downloaded EasyMail .Net Edition and tried it for yourself, click here and get started now.
I hope you found this article informative and useful. If you have any questions, comments or suggestions, please let me know. My contact information is below.