Community Email
This is a page that describes the configuration of email client for those that have been granted @cacert.org email addresses.
Process
Getting the email setup through community email servers is a multi-step process:
- get an email address approved through the policy procedure
use https://community.cacert.org/password.php to set your password using the "admin assisted reset" button
- set up POP3s or IMAPS access to your incoming email
- set up the SMTP for your outgoing email
Policy for Authorising Email Addresses
Currently, ManagementSubCommittee authorises the use of cacert.org email addresses.
Authentication
Your username for access all of these services is just a raw username like 'daniel' and not an email address.
Passwords are stored in unix MD5 salted password format. As passwords are already encrypted, you will be required to use the plain text authentication mechanism in each of the email services.
The 'Secure Authentication' mechanisms require the plain text of the passwords to be stored on the server, and therefore cannot be supported.
Setting your password
Please use the online tool https://community.cacert.org/password.php to set/reset your password. With this you can:
- request a password change ("admin assisted reset" button)
- reset your own password if you have a CAcert X509 certificate that is sent during the SSL connection to the site ("set" button).
If this is broken, you can use a method below and send the digest password for the email account to the system administrator daniel@cacert.org SMIME - daniel@cacert.org_x509certificate.pem or http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x76677097 PGP
To generate a MD5 password you can use openssl, generally available on any *nix (BSD/Linux/MacOSX) machine:
$ openssl passwd -1<CR>
Most systems have Perl, in this one-liner, "XXYYZZZ" denotes arbitrary characters to be used as encryption salt (don't worry about them, just pick them):
- $ perl -le 'use Crypt::PasswdMD5; print unix_md5_crypt("fdsdd","XXYYZZZ")'
If you have have a MySQL database on a unix system you can use the following:
mysql> select encrypt('password','$1$XXYYZZZ$');
PHP:
- php -r "print crypt('password','\$1\$XXYYZZZ\$');"
Python:
- python -c "from crypt import crypt; print crypt('passsword','\$1\$XXYYZZZ\$')"
Resetting your password
If you have a CAcert certificate for your @cacert.org address you can reset your own password using the "set" button at https://community.cacert.org/password.php. You must configure your webbrowser to send your certificate to this website.
Otherwise use the "admin assisted reset" which will send daniel a message.
If you are on the irc channel ircs://irc.cacert.org/cacert, you can ask dan, sourcerer or GolfRomeo who have access to reset passwords.
Failing that, to get your password reset/set send a crypt password, or a plaintext password, to daniel@cacert.org, or failing that contact support@cacert.org.
Accessing (your incoming) Email
Details for accessing your cacert email will be as follows:
for receiving email:
POP3
Host: community.cacert.org
POP3 (SSL): port 995
Authentication methods - Clear Text/LOGIN/PLAIN
IMAP
Host: community.cacert.org
IMAP (SSL): port 993
Authentication methods - Clear Text/LOGIN/PLAIN
Webmail
Webmail is accessible at https://community.cacert.org/
Sending (your outgoing) Email
for sending email:
Host: community.cacert.org
SMTP TLS: port 587
or:
SMTP SSL: port 465
Authentication method (required) - LOGIN or PLAIN or insecure. NOT secure authentication, CRAM-MD5, DIGEST-MD5, NTLM, GSSAPI.
This SMTP service only sends email for you cacert.org account. You cannot send other email though it. To use this you need to configure a SMTP server per identity (Thunderbird documentation).
Please send all email from your *@cacert.org email account though the community.cacert.org:587 or community.cacert.org:465 gateway. Through these gateways, email gets digitally signed with DKIM protocol.
It is planned to publish DNS records to instruct all DKIM-aware email servers that cacert.org email comes though this server. This is a preemptive attempt to reduce phishing emails related to the cacert.org domain. If you send though other email servers (such as your ISP's servers) your email may be dropped in the future.
FAQ
Q. How do i get a certificate for my @cacert.org email address?
A. Use the web interface to verify the address then issue certificates for it. There is a initial greylisting mechanism preventing the first try at emails though. This will display a temporary failure message. If you request the email verification again in 5 minutes the verification email will go though.
Q. I've forgotten or want to change my password?
A. Use https://community.cacert.org/password.php to set your new password. Please use the self set facility if you have a X509 certificate issued for your email address.
Q. Can I use fetchmail or other automated methods to access my email.
A. Sure you can - its your email 
Q. When trying to send email I get a timeout from community.cacert.org. What's going wrong?
A. You're probably using SSL rather than TLS. Set your configuration to TLS and sending email should work.
Q. When setting up Thunderbird, it gives me lots of strange errors.
A. Yes. Thunderbird misdiagnoses the setup blocks. Be patient, be persistent, it will take a couple of attempts. Once to misdiagnose the certificate, and once to enter the password. Interpret the errors as hints that "something went wrong", not literally.
Q. How is this process controlled or written?
A. A work-in-progress PolicyDrafts/EmailHandling documents the basic thinking. It should be expanded one day into a better document.