Ĩesky | english
NOTA BENE - WORK IN PROGRESS - Your Inputs & Thoughts
To CAcert.org Community - To CAcert.org E-Mail Lists & E-Mail Addresses - To Technical Support End User Support
CAcert.org Community E-Mail
- This is a page that describes the configuration of email client for those that have been granted @cacert.org email addresses.
Process
- Getting the email setup through community email servers is a multi-step process:
get an email address approved through the Communications Practices
use https://selfservice.cacert.org/password-reset to set your password using the "admin assisted reset" button
- set up POP3s or IMAPS access to your incoming email
- set up the SMTP for your outgoing email
Getting an E-Mail Address Authorized and/or Allocated
- If you help out CAcert in some tangible way you can have one. Currently, the team members and leader agree to the issue of cacert.org email addresses.
If you are helping out CAcert on a semi-permanent and regular basis, and/or have a need for an offical cacert.org email address please email your CAcert contact and they will task the system administrator to create an account once approved. Communications Practices document is current working practices as agreed by board.
Authentication
- Your username for access all of these services is your email address.
- You will be required to use the plain text authentication mechanism in each of the email services.
- The 'Secure Authentication' mechanisms require the plain text of the passwords to be stored on the server (which they aren't), and therefore cannot be supported.
Setting your Password
Please use the online tool https://selfservice.cacert.org/password-reset to set/reset your password.
- With this you can:
- reset your own password if you have a CAcert X509 certificate that is sent during the SSL connection to the site ("set" button).
If this is broken, send a password for the email account to the system administrator Email Admin <email-admin AT cacert SPAMFREE DOT org>
Resetting your Password
If you have a CAcert certificate for your @cacert.org address you can reset your own password using the "set" button at https://selfservice.cacert.org/password-reset. You must configure your webbrowser to send your certificate to this website.
If you are on the irc channel ircs://irc.cacert.org/sysadm, you can ask jandd or mario who have access to reset anyone's password.
Failing that, to get your password reset/set send a plaintext password, to email-admin@cacert.org.
Accessing (your incoming) E-Mail
- Details for accessing your cacert email will be as follows:
- for receiving email:
POP3
- Host: community.cacert.org
- POP3 (SSL): port 995
- Authentication methods - Clear Text/LOGIN/PLAIN
IMAP
- Host: community.cacert.org
- IMAP (SSL): port 993
- Authentication methods - Clear Text/LOGIN/PLAIN
Manage Sieve
- Host: community.cacert.org
- IMAP (STARTTLS): port 143
- Authentication methods - Clear Text/LOGIN/PLAIN
- Allows you to add Sieve rules like to perform server side filtering.
require ["fileinto"]; if header :is "List-id" "<cacert-board.lists.cacert.org>" { fileinto "INBOX.cacert-board"; } if header :is "List-id" "<cacert.lists.cacert.org>" { fileinto "INBOX.cacert"; }
- Note: Mailing lists should filter on List-id.
Webmail
Webmail is accessible at https://webmail.cacert.org/ - Supports X509 authentication and a Manage Sieve interface.
Sending (your outgoing) E-Mail
- for sending email:
- Host: community.cacert.org
- SMTP TLS: port 587 (preferred)
- or:
- SMTP SSL: port 465
- Authentication method (required) - LOGIN or PLAIN or insecure. NOT secure authentication, CRAM-MD5, DIGEST-MD5, NTLM, GSSAPI etc are not supported.
This SMTP service allows sending email for you cacert.org account only. You cannot send other email through this email server. To use this you need to configure a SMTP server per identity (Thunderbird documentation).
Please send all email from your *@cacert.org email account though the community.cacert.org:587 or community.cacert.org:465 gateway. Through these gateways, email gets digitally signed with DKIM protocol.
It is planned to publish DNS records to instruct all DKIM-aware email servers that cacert.org email comes though this server. This is a preemptive attempt to reduce phishing emails related to the cacert.org domain. If you send though other email servers (such as your ISP's servers) your email may be dropped in the future.
FAQ
- Q. How do i get a certificate for my @cacert.org email address?
- A. Use the web interface to verify the address then issue certificates for it. There is a initial greylisting mechanism preventing the first try at emails though. This will display a temporary failure message. If you request the email verification again in 5 minutes the verification email will go though.
- Q. I've forgotten or want to change my password?
A. Use https://selfservice.cacert.org/password-reset to set your new password. Please use the self set facility if you have a X509 certificate issued for your email address.
- Q. Can I use fetchmail or other automated methods to access my email.
A. Sure you can - its your email
- Q. When trying to send email I get a timeout from community.cacert.org. What's going wrong?
- A. You're probably using SSL rather than TLS. Set your configuration to TLS and sending email should work.
- Q. When setting up Thunderbird, it gives me lots of strange errors.
- A. Yes. Thunderbird misdiagnoses the setup blocks. Be patient, be persistent, it will take a couple of attempts. Once to misdiagnose the certificate, and once to enter the password. Interpret the errors as hints that "something went wrong", not literally.
- Q. How is this process controlled or written?
- A. It changes so often the sysadmin's just make it up with the management flavour of the day.
- Q. How do I set Thunderbird for a separate outgoing email server?
- Q. What is the motivation for using CAcert emails?
- A. Several motivations:
- using a CAcert email address can signal you are working for the community
for official business, it is part of a strategy to help CAcert to deal with legal discovery costs.
- email from CAcert address to CAcert address will be somewhat confidential without PGP or S/MIME because the point-to-point transmission (your client to server, server to his client) will be over TLS.
you are participating in a CAcert project to use our own certificates and develop use of cryptography. This is an important testing ground for how we help the Member to secure herself c.f. Mission.
- Q. More to read?
Communications Practices document is current working practices as promoted by board.
PolicyDrafts/EmailHandling contains more historical rationale.
CAcert Communication Policy is a deprecated document applying to approximately 2008. This "policy" was substantially tighter than current practices.
Inputs & Thoughts
20140329-MichaelGrigutsch:
- Attention. You might get a problem if you
- get mails from a cacert.org-address to an external address which is configured to be forwarded to your cacert.org-address or
- try to bounce a mail from a sender with a cacert.org-address to another user with a cacert.org-address.
In these cases your mails will not be accepted by the cacert.org-mailserver and rejected with the message: "Sender address rejected: If you really own this account you should be sending though the authenticated gateway http://wiki.cacert.org/wiki/CommunityEmail".
YYYYMMDD-YourName
Text / Your Statements, thoughts and e-mail snippets, Please