[Greennet-l] Please read: important changes to sending email through GreenNet

GreenNet User Support support at gn.apc.org
Tue Oct 3 21:05:31 BST 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dear GreenNet member

In order to provide additional security when you use email, we intend to enable 
a feature called "secure SMTP" from next Tuesday, 10 October 2006. Most people 
will not notice any difference. However, for people who use EUDORA versions 4, 
5 or 6 for Windows, it is likely that you will need to make one or two changes 
to your Eudora options, which are described below.

There may also be corresponding issues with one or two other e-mail or 
antivirus programs or mail servers. In some cases, such as Eudora version 7, 
the email program will simply ask you if you want to trust the new certificate, 
and you can click "Yes".

Why we are doing this
=====================

SMTPS (secure simple mail transfer protocol) is a way of sending your outgoing 
messages to our servers for onward delivery in such a way that they are very 
hard to intercept. Human Rights Watch has recently recommended use of secure 
email and web protocols when communicating in certain countries (see 
http://embargo.gn.apc.org/7.htm). Without a secure (encrypted) connection, it 
could also be theoretically possible for someone to read the content of your 
email messages or even your GreenNet password, for example if you are sending 
over a wireless network. GreenNet also provides HTTPS for webmail, POPS, and 
IMAPS for those with IMAP enabled. Note that this is not the same as end-to-end 
email encryption available using software like Enigmail or Ciphire, and email 
is still safely stored in unencrypted form in your mailboxes.

Symptoms of new certificate problem in Eudora
=============================================

When sending in Eudora, there may be an uninformative error message, or you may 
see one or more of the following "SSL Negotiation Failed" errors in the task 
list:

      * SSL Negotiation Failed: Certificate Error: Cert chain not trusted. Try 
adding this certificate to your certificate database for SSL to succeed. 
Certificate Error: Unknown and unprovided root certificate. Cause (-6995) (or 
- -6994)
      * Certificate bad: Destination Host name does not match host name in 
certificate Cause (-6984)

You may also have had a issue with *receiving* email back in February which was 
resolved by changing "Secure Sockets when Receiving" to "Never". See also the 
Eudora help page at http://eudora.com/techsupport/kb/2323hq.html

What to do for Eudora for Windows
=================================

Eudora 6.2.3, 7.0 and above should be able to cope with the new certificate 
more easily. There are therefore three possible ways of solving this.

      * Upgrading Eudora to the latest version from http://www.eudora.com (16MB, 
about 2hrs on 56K connection)
      * Telling Eudora not to use secure SMTP
      * Telling Eudora to accept the certificate

We recommend using the third option so that you can use secure SMTP:

     1. Try sending an email in order to get the error message.
     2. In the main Eudora window, click on the "Tools" menu, then "Options"
     3. From the list of categories on the left, choose "Sending Mail"
     4. Check the "SMTP server" box, usually third from the top. This may say 
smtp.greennet.org.uk. Delete this and replace it with "smtp.gn.apc.org"
     5. Click on "Last SSL Info" at the bottom right of the options box
     6. Click on "Certificate Information Manager" at the bottom right of the 
"Eudora SSL Connection Information Manager" box
     7. Under "Server Certificates", there should be a certificate beginning

            GB, *.gn.apc.org

     8. (The thumbprint identifying the certificate should read 9ED0 A063 4524 
88D8 843D 8231 8AE8 9D92 82D7 5696. There should be no need to check this.)
     9. Click on this, and then the "Add to trusted" button.
    10. Click "Done", "OK", and "OK"
    11. Try sending again
    12. If this works successfully, you may like to change the "Checking mail" 
secure sockets option from "Never" to "If Available, STARTTLS", so as to also 
receive email using a secure connection.

(You may also be able to access Eudora's certificate manager and add the 
certificate ahead of time, by clicking on Last SSL Info in the "Checking mail" 
category, and following step 6 above onwards.)

If there is still an error similar to the above (or you want to make the change 
now and continue sending email unencrypted), turn off secure SMTP as follows:

     1. In the main Eudora window, click on the "Tools" menu, then "Options"
     2. From the list of categories on the left, choose "Sending Mail"
     3. At the bottom of the Options box is "Secure Sockets when Sending". 
Change this from "If Available, STARTTLS" to "Never".
     4. Click OK, and try sending again

Apple Mac
=========

For OS 9, you may see a "Unknown SSL Certificate" error.

     1. Click "Open"
     2. Ensure "Add to keychain" is ticked and "Always trust"
     3. Click "OK" and Done

There may be problems with Eudora on OS X 10.1 requiring an upgrade of OS X or 
Eudora, or turning off SSL in the Settings. If you have problems sending under 
any version of Mac OS X, try downloading this certificate to your desktop (hold 
down the Control key when clicking), double click on the file, select the "X509 
anchors" keychain, and click OK. You may then be prompted for your OS X 
password.

If you have problems
====================

If have further questions, please phone us on 0845 055 4011 (or +44 20 7065 
0942) between 9.30 to 5.30 Monday-Friday. There is an answerphone service 
outside those hours, and we will endeavour to contact you at a convenient time.

All best wishes

Janet, Cedric, Ian and Ana

GreenNet Support

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Made with pgp4pine 1.76

iD8DBQFFIsKa3b5vU4FHYZYRAqn4AJ0fDt/8x/zzPNic4LpzzBXN4GPsLACfVXLd
CntVC6l/uXQD0oF8alVtZ3c=
=G+YU
-----END PGP SIGNATURE-----

More information about the Greennet-l mailing list