Secure the e-mail in your .NET apps with SSL e-mail componentsYour .NET app can easily send and retrieve secure e-mail...
by John Alessi
If you are confused about how to implement security in an e-mail app, you are not alone - SSL, S/MIME, PGP, certificates, signatures - it all can get quite confusing. There are many methods of securing e-mail, each with its own strengths, weaknesses and complexities. This is the first in a series of articles dealing with e-mail security in which I hope to simplify some of these complexities. In this article I will focus on SSL and leave future articles to deal with the other security methods and protocols. Unlike other information you may have read about SSL, the information presented in this article is from an e-mail developer's perspective. I will explore the pros and cons of SSL and show you exactly what you need to know to properly build and support an e-mail client application that can send and retrieve e-mail over an SSL encrypted channel. Sample code is also included which will enable you to build SSL enabled .Net apps - within minutes!
In this edition you will learn:
- How SSL works to safeguard data
- How SSL is used to protect e-mail
- The benefits of client authentication
- 2 critical things you need to know about what SSL will not do
- How you can use SSL to safeguard e-mail in your app
- Client and server requirements for securing e-mail with SSL
- About the bonus protection provided by SSL
- What types of apps can benefit from securing e-mail with SSL
- Sending a message with SMTP over an SSL connection
- Retrieving a message from a POP3 server over an SSL connection
- Retrieving a message from an IMAP4 server over an SSL connection
Normal e-mail messages are sent across the Internet in a plain text format. This leaves the messages susceptible to all sorts of electronic eavesdropping. SSL enables us to easily secure our e-mail apps while keeping the SSL security invisible to the end user.
Every techie is familiar with SSL (Secure Sockets Layer) to some degree. SSL is the technology which encrypts data during its transmission to and from a secure website. All e-commerce applications rely on SSL to ensure that sensitive information, such as credit card numbers, are not transmitted across the public Internet in a manner which can be easily intercepted and decoded by a third party. SSL is very transparent to the end user, in fact the end user needs to know nothing and do nothing, it just happens, it just works. That is one of the biggest strengths of SSL - the fact that it is invisible or transparent to the end user.
SSL is transparent to the end user because its functionality is built into the browser and works automatically. In this article I will show you how to build this same type of automatic, secure functionality into your e-mail apps.
So how does SSL work? How secure is it and how can it be used to secure e-mail?
SSL - How it secures e-mail
SSL works at the socket level. Sockets are a pair of end-points of a two-way communication link between two programs running on the network. All TCP/IP communication on the Windows platform uses sockets. In the e-mail paradigm one of the sockets is used by the e-mail client application and the other by the e-mail server. These applications usually reside on different systems across the network, however there is nothing preventing them from being on the same system either. You can think of a socket as a data doorway into and out of an application. Normal e-mail communications send your e-mail messages out the door in a plain text format. As the message travels between doorways, it is susceptible to prying eyes. Electronic eavesdropping applications can easily read the contents of your messages as they travel across the network and gain access to attachments and other message data. SSL protects your messages by automatically encrypting the data as it travels between doorways (sockets). Data is automatically encrypted just before it goes out the door, and automatically decrypted immediately after it enters the door.
SMTP, POP3, IMAP4, Where does it all fit in?
SSL encryption happens at a lower level than the standard Internet e-mail protocols such as SMTP, POP3 and IMAP4. Because of this, these protocols do not need to be modified to handle connections over an SSL protected channel. In fact, these protocols are oblivious to the existence or nonexistence of an SSL connection.
SSL also provides the ability for both the client and server to identify themselves and enables applications to prohibit communications with unknown parties. This is accomplished by digital certificates which are exchanged between the sockets before they are secured. The entire topic of digital certificates is beyond the scope of this article, however I will touch on it briefly.
During the initialization of the SSL communication, the server sends its certificate to the client. The server's certificate includes identifying information and also an encryption key, which this client should use for the encrypted communication to follow. The client is able to verify the authenticity of the certificate to prove to itself that it is indeed communicating with the correct mail server, otherwise an error is thrown.
After the client has authenticated the server, the client may also supply a certificate to identify itself. This step is optional, but its purpose is to enable the server to authenticate the client. In an e-mail system for example, the server may be configured to only communicate with known clients. This level of security is not usually implemented because it requires special setup on each client as well as more administrative work on the server, thus negating the transparency of SSL to the end user. Perhaps as e-mail clients and servers get more robust they might make client authentication easier for the users and administrators.
There is a big bonus to using SSL to secure e-mail. Since SSL encrypts the entire client / server communication, not only the contents of individual e-mail messages, other data sent between client and server, such as account names and passwords are also encrypted and thus protected. This is really important because what good does it do to encrypt your message in route to the server, only to have your account name and password intercepted and used to gain access to the server itself?
To use SSL with e-mail, both the client and the server must have built-in support. The sample code to follow will show you how to easily include this support into your .Net client applications with just a few lines of code! The server must also support SSL. If your mail server does not support SSL, you may be able to use SSL gateway software, or a relay server, which supports SSL. The gateway/relay server accepts mail over an SSL encrypted connection and then passes the data on to your server over a standard unencrypted channel. If the gateway/relay and your server reside on the same system, or behind the same firewall, most of the benefits of SSL may be retained. The server will also need a digital certificate for SSL communications, which can be obtained from a certificate authority.
There are two important things to be aware of when using SSL to secure e-mail.
Caveat One. SSL does an excellent job protecting your data while it travels between application doorways, but its protection ends there - at the doorway. SSL does not protect data in either application, only on its path between them. For example, someone who obtains your e-mail account and password may still be able to access your messages on the server, although it should be noted that SSL client authentication, if employed, might make this impossible. Also, since SSL protects passwords as they are sent across the network, they are virtually impossible to intercept, at least during the encrypted conversation between the client and server.
Caveat Two. As an e-mail message travels across the Internet it will pass through one or more SMTP servers. For example, if you are at a.com and sending mail to someone at b.com, your message will normally go to the a.com SMTP server first. The a.com SMTP server will then contact the b.com server and relay the message to it. If your client application and the a.com SMTP server both support SSL, your client will be able to send secure mail to the a.com server. However if the b.com server does not support SSL, the a.com server may send the message to the b.com server without encryption. There may be many servers involved with the delivery of a message, and unless they are all under your control, it will be impossible to ensure that your message is delivered via SSL along the entire path. Also important to note is that if the recipient's mail client application does not support SSL, your message will be retrieved without SSL protection no matter what.
When can SSL help?
After reading the caveats you may be wondering how SSL can help anyway. Actually there are some really good uses for SSL. Intraorganizational is by far the greatest and best use of SSL e-mail security that I can think of. SSL e-mail can easily protect intraorganizational communications such as corporate, educational, government, military, healthcare, etc... This is especially important where confidentiality/privacy concerns are high, in fact recent privacy laws and legislation such as HIPAA may require that certain e-mail communications be encrypted.
SSL works well in these environments because all of the communication systems can be placed under the central, internal control of the organization. Intraorganizational mail can be handled by one or more servers which all support SSL. The servers may be setup to require all incoming connections to be encrypted with SSL, and all mail clients can very easily be configured to connect to their company server via SSL.
This is a fairly easy situation to implement and administer and will provide excellent e-mail security within the organization. Communications between Employees, Executives, Board Members, Contractors, those on the road and those working from home are all easily protected by a very high level of security.
If you are building a web mail application or any mail application that gets its data from web forms, etc, you can use the HTTPS protocol so that the data can not be intercepted as it travels between the user's browser and the server. In this situation the mail client is actually a combination of the browser and web server. HTTPS (SSL encrypted HTTP) protects data between the browser and the web server, and the web server process can also use SSL over SMTP, POP3, IMAP4, etc... to communicate with the actual mail server, if necessary.
SSL support for your app
Adding SSL capabilities to your e-mail application is very simple provided that you have the right set of components to handle the low level details such as certificate exchange, certificate authentication and encryption. The following samples use EasyMail .Net Edition with the optional SSL plug-in. The SSL plug-in component enables applications which use EasyMail .Net Edition to send and receive SSL protected e-mail with only a few lines of code. EasyMail .Net Edition, the SSL plug-in and all the sample code in this issue can be downloaded here.
Sending mail over an SSL connection
The following sample code demonstrates how to send Internet e-mail over a secure connection to an SSL enabled SMTP server.
Dim objSMTP As New SMTP objSMTP.SMTPServers.Add("mail.domain.com", 465) Dim objSSL As New SSL objSMTP.Connect(objSSL.GetInterface()) Dim objMessage As New E-mailMessage( _ "firstname.lastname@example.org", "email@example.com", _ "Subject", "Body text", BodyPartFormat.Plain) objSMTP.Send(objMessage) objSMTP.Disconnect()C# Sample
SMTP objSMTP = new SMTP(); objSMTP.SMTPServers.Add("mail.domain.com", 465); SSL objSSL = new SSL(); objSMTP.Connect(objSSL.GetInterface()); E-mailMessage objMessage = new E-mailMessage( "firstname.lastname@example.org", "email@example.com", "Subject", "Body text", BodyPartFormat.Plain); objSMTP.Send(objMessage); objSMTP.Disconnect();Yeah, that's it, pretty easy huh? Communications with the mail server will take place on port 465 which is the standard port for SMTP data traveling over SSL connections. The SSL plug-in is interfaced with the SMTP component during the call to Connect(), and the e-mail components take over from there.
Retrieving mail with POP3 over an SSL connection
Retrieving mail over a secure connection is just as easy. The following example uses the EasyMail .Net Edition POP3 component and Parse component with the SSL plug-in.
Dim objPOP3 As New POP3 Dim objSSL As New SSL objPOP3.Connect("mail.domain.com", 995, objSSL.GetInterface()) objPOP3.Login("account", "password", AuthMode.Plain) Dim memoryStream As New MemoryStream objPOP3.DownloadMessage(1, memoryStream) memoryStream.Position = 0 Dim msg As New E-mailMessage(memoryStream) Console.WriteLine(msg.Subject) Console.ReadLine() C# Sample POP3 objPOP3 = new POP3(); SSL objSSL = new SSL(); objPOP3.Connect("mail.domain.com", 995, objSSL.GetInterface()); objPOP3.Login("account", "password", AuthMode.Plain); MemoryStream memoryStream = new MemoryStream(); objPOP3.DownloadMessage(1,memoryStream); memoryStream.Position=0; E-mailMessage msg = new E-mailMessage(memoryStream); Console.WriteLine(msg.Subject); Console.ReadLine();As you can see securely retrieving e-mail from a POP3 server is very easy too. It is a very simple sample, but the amount of work going on beneath the hood is extreme. It demonstrates perfectly how EasyMail .Net Edition shields you from the complexities of SSL, POP3, MIME, parsing and much more. The sample uses the POP3 component to download the first message in the POP account to a memory stream, then parses it and displays the subject. Communications with the mail server will take place on port 995 which is the standard port for POP3 data traveling over SSL connections. The SSL plug-in is interfaced with the POP3 component during the call to Connect(). Even I am wondering "Is that it?". Yeah that's it. It is amazing how much EasyMail .Net Edition does for you while at the same time EasyMail .Net Edition will enable experienced developers to control and access virtually every aspect of SSL, POP3 and the parsed message.
Retrieving mail with IMAP4 over an SSL connection
Dim objIMAP4 As New IMAP4 Dim objSSL As New SSL objIMAP4.Connect("mail.domain.com", 993, objSSL.GetInterface()) objIMAP4.Login("account, "password") objIMAP4.SelectMailbox("Inbox") Dim env As Envelope Dim envelopes As EnvelopeCollection envelopes = objIMAP4.GetEnvelopes() For Each env In envelopes Console.WriteLine(env.Subject) Next objIMAP4.Logout() Console.ReadLine()C# Sample
IMAP4 objIMAP4 = new IMAP4(); SSL objSSL = new SSL(); objIMAP4.Connect("mail.domain.com", 993, objSSL.GetInterface()); objIMAP4.Login("account","password"); objIMAP4.SelectMailbox("Inbox"); EnvelopeCollection envelopes = objIMAP4.GetEnvelopes(); foreach (Envelope env in envelopes) Console.WriteLine(env.Subject); objIMAP4.Logout(); Console.ReadLine();This example uses the IMAP4 component to make a connection on port 993, the standard port for IMAP communications over SSL. The example displays the subject of every message found in the "Inbox" without parsing the message, by using the "envelopes" feature of the IMAP component.
SSL is an easy way to secure e-mail messages. It is most powerful when used to secure intraorganizational e-mail. With EasyMail .Net Edition and the SSL plug-in, you can quickly and easily build robust .Net e-mail apps that take advantage of all the security SSL has to offer. The EasyMail .Net Edition SSL plug-in goes far beyond what is demonstrated here and includes support for SSL2, SSL3, TLS1, PCT1, certificate management, client certificates, STARTTLS and much more...
EasyMail .Net Edition makes sending and retrieving e-mail easy, with or without support for SSL. If you have not downloaded EasyMail .Net Edition and tried it for yourself, click here and get started now.
I hope you found this article informative and useful. If you have any questions, comments or suggestions, please let me know. My contact information is below.
John Alessi has specialized in e-mail development for the past 7 years and has helped many large companies such as Microsoft, Boeing and EarthLink with their e-mail needs. He can be reached at firstname.lastname@example.org. Quiksoft, founded in 1994, helps companies design and build e-mail systems by providing reliable tools, consulting and programming services.