Disable plain-text access to webmail


#1

Hi there,

I’ve set up a number of e-mail accounts on one of my domains. I’m very happy with the Atmail service, it’s quite good.

However, I find it very strange that Dreamhost allows plain-text access to this service. This results in user passwords (which are supposed to be sensitive data) being sent over plain-text HTTP.

My suggestion is that http://webmail.dreamhost.com access is removed and replaced with a 301 to https://webmail.dreamhost.com.

Furthermore, I’d like the option of either:

[list]
[]being able to install a LetsEncrypt cert for https://webmail.mydomain.com; or
[
]forcing a 301 redirect to https://webmail.dreamhost.com from http://webmail.mydomain.com
[/list]

The same goes for mailboxes.* as well.

Also, at https://mailboxes.dreamhost.com, why can’t I login using a non-dreamhost.com e-mail address? This forces users to go to https://mailboxes.mydomain.com and accept an invalid cert if they want to securely update their password.


#2

Hey @studro, thanks for sharing your thoughts. We’re aware of the situation. We’re big proponents of https everywhere, made lots of headway this year introducing Let’sEncrypt in many of our products and are looking at more ways to improve this situation. HTTPS on webmail is on our todo list: it’s not a simple solution due to the way our systems are architected, but we’re actively working on improving this experience.

To improve the situation temporarily I would suggest you to use the browser addon HTTPS Everywhere, developed by Electronic Frontier Foundation https://www.eff.org/Https-Everywhere. This addon detects if a site offers both http and https, and switch automatically to https-only. This way, your browser will always go to the encrypted site.


#3

Thanks for getting back to me on this so quickly. :slight_smile:

Do you have any rough ideas as to when you’re hoping to get onto this? Is this in your short term (e.g. 6 - 12 month) plans, or more likely in your long term (e.g. 18 month - 5 year) plans?


#4

I don’t think it’s years ahead but I can’t give you yet a precise answer on the timeline. Let’s check back in Q1 2017 when things should be clearer.


#5

Similar to the above request, would it be possible to leverage Let’s Encrypt for the mail.domain.* servers?