Using SSL with Outlook Express and 4.7 home edition

[joe-lee]

AT&T is forcing everyone it seems to go to SSL. The SMTP port is going to be 465. The POP port to 995. Can someone explain, in simple terms, how to get AVAST 4.7 to work with this setup, for scanning emails.  I read up somewhat on doing it for gmail but it still left me behind.
Joe

[DavidR]

Sorry it isn't a simple explanation, you can't simply change the redirect ports in avast to include these ports because they are secure, encrypted ports designed to keep out prying eyes and this would include avast and other AVs.

To scan these you need to have a third party application called STunnel.

See this topic - ATT YAHOO SSL avast and STunnel - Outlook Express. Click the link at the top of the quoted text and that will take you to the topic.

Got it working. Here is the stunnel.conf file and the Outlook Express settings for anyone that needs to get setup for avast to scan ATT Yahoo SSL mail.

[alanrf]

I finally got round to setting up STunnel myself (for some testing I wanted to do - under the covers - on GMAil) this weekend. 

It is very easy to download and install and it give a link in it program folder to editing its configuration file.  Follow the example given by Norm321 and you will be fine.

To make sure STunnel starts up with your system you can also follow the easy link in the program folder to install it as a service in Windows.

[Bert]

Oh my goodness..is AT&T now INSANE in addition to being greedy?!?! 
How does using SSL cut down on Spam and Viruses?  Perhaps they're
going to launch their own Antivirus program and are cutting out all the
other guys in a pre-emptive strike. 

Just as soon as my contract with SBC/ATT/Ameritech-Yahoo is up
(Come on 9/2007!), I'm switching our household over to a new provider
that is AVAST friendly.  Will be researching the Chicagoland high-speed
options in the meantime.  I'm sure that at least 80% of the current AVAST
users will make the changes to their PORTS and not even realize that their
E-mail is No Longer Being Scanned by AVAST.   I didn't realize it myself
until coming to the forum.  Now that AT&T is a oligopoly again, I'm sure
this is just the tip of their arrogant moves.  I'd urge everyone who can
leave AT&T to do so at your earliest convenience.  -Bert in Chicagoland

[joe-lee]

Thanks David and Alan. It looks like there is two programs to download and use?
I have another idea, what if I make a shortcut to outlook express folder where all my *.DBX files are and put it on my desktop and then when I download email I can just do a quick Avast scan of that folder. Will that work?

[alanrf]

The problem with that solution is that you will have already got the virus into your mail folder and you face the risk of the whole mail folder being quarantined and that will be a big hassle.

With STunnel there is just one program to download and a bit of setup work that Norm321 has already worked out for you.  That way all the smarts in the avast Internet Mail scanner can be used to prevent malware making into the mail file of Outlook Express in the first place.

Bert in Chicagoland,

I suspect that the future is going to look pretty limited for you since more and more mail services are moving to secured access.  One driver of this is that more and more users are adopting wireless access and coming in from networks outside the control of the owners of the mail servers where the risk of snooping significantly increases.  Just an example - one of the biggest players - GMail.   



 

[DavidR]

Oh my goodness..is AT&T now INSANE in addition to being greedy?!?! 
How does using SSL cut down on Spam and Viruses?  Perhaps they're
going to launch their own Antivirus program and are cutting out all the
other guys in a pre-emptive strike. 

Just as soon as my contract with SBC/ATT/Ameritech-Yahoo is up
(Come on 9/2007!), I'm switching our household over to a new provider
that is AVAST friendly. 
<snip>

I doubt you would have to accept their anti-virus even if they did launch one, there are many ISP's that offer an AV, simply because most spam email is generated by systems that have been infected and taken over to act as spambots. They might well scan your email on the server, but they can't scan your system without your installing the software.

I certainly wouldn't jump ship because my ISP decided to use secure email at least they are using the correct secure ports (465 and 995), some just use the regular ports and that causes more of an issue. If you had other issues with your ISP then that would be cause to jump ship but not this in isolation. Once set-up STunnel works well with avast well with avast.

[Bert]

How will AVAST communicate the need for installing STunnel to the thousands
(millions?) of Avast users that aren't aware that they need this software?  If
I had not visited this forum, I wouldn't have known that my e-mail was no
longer being scanned as it arrives in Outlook Express. 

David, are you saying that the major ISP's who use Ports 465/995 are scanning
the mail for malware on their server, which pre-empts the need for Avast mail
scanner on our PC?  It that's the case, I will not be too concerned about all the
people I've referred to the Avast over the years.  The other components of
Avast protection are still doing their great job on the PC's..

[DavidR]

1. avast doesn't have to communicate that to users, it is something outside of its control. It can't influence what email protocols they use, for instance they could decide to go completely webmail so it would be viewed through the browser not an email client.

avast! is no different to the majority of other anti-virus programs that can't scan secure email, that is the whole purpose of secure email. If you were to use MS Outlook there is a difference in that avast can work inside MS Outlook so that can scan email content. The Internet Mail provider operates 'outside' the email program so is 'outside' the secure encryption and that is a fact not limited to avast's email scanner.

2. No I'm not saying that, the key word is might "They might well scan your email on the server" this is an option with some ISPs and email services.

It is because of your comment that I suggested things that they could do such as scanning their email servers and things that they couldn't do, scan your system without your compliance.

Perhaps they're
going to launch their own Antivirus program and are cutting out all the
other guys in a pre-emptive strike. 

[joe-lee]

So then in OutLook Express, I take out the Yahoo.com in the pop and smtp positions and put in 127.0.0.1?
Add the redirect ports in Avast for the pop and smtp, put in 11025 and 11110.
I have downloaded Stunnel 4.20 installer.exe, what is the stunnel-4.20-installer.exe.asc file?
I do not need a file called win32openSSL?
Somehow I came up with that.

[alanrf]

The asc file is the ANSI source code if you want to look at/compile the source code.  Probably just best to take the Windows install file you have already downloaded.  As I already told you - there is just one file to download.  The Windows installer combines the OpenSSL function compiled within it.

As to OE:

Change the POP server to localhost (or 127.0.0.1) they mean exactly the same thing.
Change the SMTP server to localhost (or 127.0.0.1)

Change the SMTP port to 11025
Make sure you uncheck "secure connection"

Change the POP port to 11110
Make sure you uncheck "secure connection"

That's it for OE

In avast:

In the Internet Mail scanner > Redirect tab

Add 11110 to the POP box, make sure you separate it from the previous port with a comma
Add 11025 to the SMTP box, make sure you separate it from the previous port with a comma

Uncheck the box "Ignore local communication". 

"OK"

Follow the instructions from Norm321 precisely for editing the STunnel config.

You will need to make sure STunnel is always running when you use OE.  See my comments above on installing it as an automatic service in Windows.

 

[joe-lee]

Have a problem. AT first I had to put libeay32.dll and libssl32.dll into the system32 folder. Now when I boot up I get this for Stunnel;
2007.07.31 20:57:24 LOG3[2808:2820]: stunnel.conf: No such file or directory (2)
 
Syntax:
stunnel [ [-install | -uninstall] [-quiet] [<filename>] ] | -help | -version | -sockets
    <filename>  - use specified config file instead of stunnel.conf
    -install    - install NT service
    -uninstall  - uninstall NT service
    -quiet      - don't display a message box on success
    -help       - get config file help
    -version    - display version and defaults
    -sockets    - display default socket options

At the top it says Stunnel 4.20 on Win32 ( not configured). I do have the icon on the bottom task bar.

Note: It says no stunnel.conf file but I can open it up using the stunnel edit.

When I try to get my mail I get the following error.
The server responded with an error. Account: 'A1G@SBCGLOBAL.NET', Server: '127.0.0.1', Protocol: POP3, Server Response: '-ERR Cannot connect to POP server 127.0.0.1 (127.0.0.1:11110), connect error 10061', Port: 11110, Secure(SSL): No, Server Error: 0x800CCC90, Error Number: 0x800CCC90

Here is my Stunnel.conf file:
#attyahoo

client=yes
# POP3 service, listens on localhost:11110
[att-yahoo-pop3s]
accept=127.0.0.1:11110
connect=pop.att.yahoo.com:995

# SMTP service, listens on localhost:11025
[att-yahoo-smtps]
;protocol=smtp (removed with ; in front of this)
accept=127.0.0.1:11025
connect=smtp.att.yahoo.com:465

In AVast I tried 11110,110 and just 11110 and 11025,25 and just 11025.

In Outlook express, both pop and smtp are set to 127.0.0.1 and pop=11110 and smtp=11025 in advanced section.

My stunnel.conf is just that, no .txt after it.

I am running Windows XP pro.

Any ideals?

[alanrf]

Why did you move the dll files? 

Stunnel installs them in the Stunnel folder.

[joe-lee]

Why did you move the dll files? 

Stunnel installs them in the Stunnel folder.

Your right, it did, but when I boot up the computer, with stunnel in the startup folder, it came up, could not find libeay32.dll, so I copied it into the system32 folder then rebooted and it came up with could not find libssl32.dll which I copied into the system32 folder. Then I came up with that last part that I copied into my email. I also had, when I placed my cursor over the stunnel icon in the tray, it said, no server. Since then I have taken out of my startup folder, Stunnel. Now when I boot up, I start Stunnel and it asks for permission to access the internet(zonealarm) which I do and now it says active. This was first done after I started Outlook express. I started sending me emails and its working now. Sometimes it seems to hang up and time out. Is that common? I thought maybe I needed to load OE first so tried the other way and it works either way. So I am finally up and running. Still have questions.
Do you have Libeay32.dll and Libssl32.dll in your system32 folder?
Does this software, stunnel, get the email from ATT thru the SSL so ATT now thinks I am using 995 and 465?
Thanks for all the help everyone.

[alanrf]

I seems that you pay very little attention to my posts. 

I already told you that to make sure STunnel starts up with Windows that there is an entry in the STunnel program folder to install Stunnel as a service that will automatically start with Windows.

No, I do not have those dll files in my system32 folder. 

This post shows what is happening, even though it mentions GMail the principle is exactly the same for your AT&T account.

http://forum.avast.com/index.php?topic=23814.msg201231#msg201231

STunnel is managing the secure connections to your server and then passing the email messages to OE on a regular connection so that avast can scan them.  The transfer takes place entirely inside your computer so the messages are still safe from interception.