neo said:
Are you trying to use SSL on a non-standard SMTP port? (e.g.
Non-standard SMTP port means that the account is configured to try and
send e-mail on a port that does not equal 25 or 465.)
And if you are using SSL over a standard port (25 or 465) for outbound
e-mails, you might need to disable e-mail scanning by your anti-virus
product which won't be able to interrogate the encrypted traffic. Many
anti-virus products run as proxies (some are transparent) and will
monitor only specific or standard ports for e-mail traffic. Some only
monitor port 25 to scan outbound e-mails, and if you switch to SSL on
port 465 then that anti-virus proxy won't be able to see your outbound
e-mail traffic (and so it won't interfere with it). However, if you use
port 25 for outbound SSL-encrypted traffic then your anti-virus program
that is monitoring traffic on port 25 will interfere. The endpoints in
an SSL connection know how to encrypt and decrypt the traffic, and the
anti-virus proxy is not an endpoint in that SSL session (i.e., it is
tapping into the traffic just like a hacker who you are preventing to
see the content by encrypting it). Some proxy-style anti-virus programs
let you configure on which ports they will monitor e-mail traffic. I've
read that Avast! lets you configure which ports it will monitor. I used
Norton Anti-Virus and know that it will ONLY monitor the standard ports
and not the non-standard ones (so you only need to be concerned if you
use SSL on a standard port).
Some anti-virus software inserts itself as a layered service provider
(LSP) into the TCP service so it doesn't use a port to monitor your
e-mail traffic. I think EzAntivirus operates as an LSP. However, I
don't know if that would help the anti-virus program to interrogate the
SSL-encrypted data stream that flies by it. So you couldn't even
configure your e-mail client to use a non-standard port to bypass the
anti-virus interceptor, and since the anti-virus interceptor isn't one
of the endpoints in the SSL connection then it probably will interfere
with that traffic (or it just might pass it through unfiltered, so
behavior depends on how the anti-virus product was programmed).
For anti-virus products running as a proxy, use a different port than
the standard one that the anti-virus product will monitor when using
SSL. For POP3 and SMTP, use ports 995 and 465 (or whatever your ISP
requires), but don't use the standard ports (110 and 25). For
anti-virus products that operate as LSPs, or to avoid the problem
altogther for either proxy or LSP mode anti-virus products, you could
also just disable e-mail scanning in your anti-virus product. Its
on-access scanner should provide equivalent detection and protection,
anyway.
As I understand SSL (which isn't a lot), it's handshaking is time
sensitive so the endpoints in an SSL connection need to have similar
times. Use the time service or utility that periodically updates your
computer's clock. "Session-identifiers should have a lifetime that
serves their purpose (namely, reducing the number of expensive public
key operations for a single client/server pairing). Consequently, we
recommend a maximum session-identifier cache timeout value of 100
seconds" (from a Netscape article on SSL 3.0). If your time is
significantly different than the for the other end of the SSL connect
then it might see your session as expired or not even establish a
session.
We don't know what you tried (you never told us) or what is your current
e-mail account definition in Outlook and what, if any, anti-virus
software you use, and you never identified what is your e-mail provider
(so we could see what they state for e-mail setup on their web pages to
find out what ports to use). Without any of this detail, my suggestion
is to:
- Use port 995 for POP3 (inbound) e-mail. Make sure SSL is enabled on
that port.
- Use port 465 for SMTP (outbound) e-mail. Make sure SSL is enabled on
that port.
- Obey the e-mail provider's requirement regarding SPA (secure password
authentication). Some require it when using SSL connects, some require
that it NOT be used.
- Make sure your firewall is configured with an application rule that
allows Outlook to make connections on those ports.
- Disable e-mail scanning in your anti-virus software if it happens to
be intercepting e-mail traffic on ports 995 or 465.
- Make sure your computer's clock gets periodically synchronized to an
atomic clock.
