Mail receive on port 110

phelum · 5 Aug 2024, 16:47

Hi,

I'm trying to activate the mail feature in Vivaldi 6.8 but when entering the server details it won't let me select the desired security for the server connection.

I want port 110 and no security but the security box is stuck on SSL/TLS and disabled so I can't change it.

The port box can be changed to 110 but this doesn't enable the security box. Is there a setting elsewhere that I have to enable to allow insecure mode here ?

Thanks,
Steven

DoctorG · 8 May 2024, 16:57

@phelum StartTLS not implemented for POP3 Port 110.

phelum · 5 Aug 2024, 17:00

@DoctorG Fair enough. How do I select no security ?

DoctorG · 5 Aug 2024, 17:02

@phelum Sorry, not implemented for security reasons to protect users.

DoctorG · 8 May 2024, 17:04

Most known servers today have POP3S (Port 990 + SSL). So Non-SSL is not implemented.

Why Port 110?

phelum · 5 Aug 2024, 17:09

@DoctorG Original POP3 receive port. Good for testing.

Anyway, I'll keep away from this nanny-state feature. I'm appalled that such a restriction is imposed.

Thanks for your quick replies.

Cheers,
Steven

tarquin · 6 Aug 2024, 13:41

There is no good reason to allow users to shoot their own foot off. ALL current email service providers support encrypted connections (and if yours doesn't, then they need a massive wake-up call, and should not be trusted as an email service provider). Usernames and passwords are sent during authentication, and should never, under any circumstances, be sent insecurely.

The alternative "protection" methods available for email server authentication are no substitute, such as a "nonce", since they are required to fall back to basic authentication if it fails, so an active attacker can just break the first one, to force the second one to happen. Without a secure connection, there is also no guarantee you are talking to the correct server, and an attacker could intercept and supply a malicious transparent proxy that gains access to your account. And even if it were possible to guarantee that is is the correct server, and that the authentication were not leaked, then it would still have some kind of authenticated session, which an active attacker could hijack to access your mail, and cause data loss.

Email contains some of the most sensitive private data; your medical details are probably in there, private aspects of your life, your other online accounts send password recovery keys or two factor authentication tokens there, your employer probably has intellectual property in there, or other people's private data that must not be leaked. Email is something that fundamentally needs protection, including for every user who does not realise why it matters.

There is no safe way to access mail without a secure connection. Therefore we do not allow it.

Yes, there is a technical legacy that allows mail to be used that way, because email as a technology predates the understanding of online security, but that doesn't mean a client should needlessly put users at risk.