Secure Socket Layer (SSL) is the industry-standard method for protecting web communications. The SSL security protocol provides data encryption, server authentication, message integrity, and optional client authentication for a TCP/IP connection. SSL is built into all major web browsers, email clients, and servers.

Note: Secure Socket Layer (SSL) is different from Transport Layer Security (TLS). SSL and TLS use different ports and behave differently on a failed negotiation, but accomplish the same desired encryption. TLS is available in some major email clients, but CAEN recommends using SSL as the default option.

Why use SSL?

In order to protect passwords, U-M has required SSL security on all ITCS  email servers. Most users will use the main U-M email server (mail.umich.edu), while some faculty and staff use the U-M Exchange server (exchange.umich.edu). As a result, both servers accept IMAPS (IMAP over SSL) and POP3S (POP3 over SSL) connections. If you are not already using a Kerberos-enabled email client (such as Pine), CAEN strongly encourages you to start using an SSL-compatible client to protect your password.

How do I begin Using SSL?

Most email clients come with the ability to use SSL built-in:

Example: Outlook Express using SSL when sending and receiving email.

For example, Outlook Express or Mozilla users can enable SSL by simply checking the requires a secure connection (SSL) option in the mail server settings. Most email programs provide similar options. Depending on whether your want to use IMAPS or POP3S, you will need to verify the server ports are set to these specific values:

IMAPS - 993
POP3S - 995

When I connect to the U-M email server, I get a security certificate error.  What should I do?

If you connect to the U-M server to access your email and your email program presents an error message similar to "The server you are connected to is using a security certificate that could not be verified," you should make sure you have the most up-to-date SSL certificate installed on your computer. You can download the latest certificate here:

• http://www.instantssl.com/ssl-certificate-support/cert_installation/

To install the certificate, follow these steps:

Windows

1. Download the GTECyberTrustGlobalRoot2018.crt certificate from the site above.
2. Go to: Start >> Settings >> Control Panel >> Internet Options
3. Click the Content tab.
4. Click the Certificates... button.
5. Click the Import... button.
6. Browse to where you saved the certificate, and double-click its icon.
7. You may need to restart your email program, or reboot your PC, for the changes to take effect.

Mac OS

1. Download the GTECyberTrustGlobalRoot2018.crt certificate from the site above. Note: When you download the certificates, Mac OS may add a .txt extension to the end of the file names. You will need to remove this, leaving only the .crt extension, before importing the certificate.
2. Go to: Applications >> Utilities >> Keychain Access
3. In the Keychains menu on the left of the Keychain Access window, click X509Anchors.
4. From the File menu, choose Import...
5. Browse to where you saved the certificate, and double-click its icon to import it into Keychain Access.
6. You may need to restart your email program, or reboot your Mac, for the changes to take effect.

Where to go for further help

Again, most email clients have options for implementing SSL connections. For more information on using SSL for a specific program, consult the program’s Help menu. For detailed information on setting up an SSL connection to the U-M email server, please see the following ITCS web page:

• http://www.itcs.umich.edu/e-mail/mail.html