I had a customer with an email problem, he could receive emails but not send them, however nothing had changed on their setup. Support told him they had switched him to a different company, but it seems that the support operator got confused. A lot of ISPs change hands regularly these days, and clearly was confused as to the supplier.
Insecure email
Life was much simpler with insecure email, which has been around on the Internet since the 1970s in different forms.
An email program (called the client) uses two different protocols, one for receiving email and one for sending email.
The client connects to the server, and the server reveals what options it supports. If the client supports those options, it sends the username and password to authenticate the connection and then is either told there are new emails to collect or is allowed to send emails.
Server certificates
In order to provide a better solution, a system known as Secure Sockets Layer (SSL) is used in the form of what is known as keyless authentication. It’s the same as what happens with secure websites but for email.
- The client sends a request to use SSL.
- The server sends it’s public certificate to the client.
- The client verifies that the certificate has been signed by the trusted authority for the certificate, checks to see that the certificate applies to domain name the server is operating in and whether the certificate has expired, and rejects the connection if this fails.
- The client sends a signed message back to the server using the server’s public certificate.
- The client and server then exchange session keys signed with the server’s public certificate and exchange encrypted data, which is then decrypted on the appropriate end.
What went wrong?
I suspect that the mail server’s certificate had changed and prevented the customer’s email client from sending out emails. The fact he was receiving emails leads me to suspect that only the sending side is using SSL, because although the email program showed no errors, after checking the certificate, it had an install certificate button that added the server’s certificate and then the problem went away.
