Using TLS Encryption with Microsoft Entourage This guide assumes that you have previously configured Entourage to work with your Beloit College email account. If you have not, you can create an account using the New Account Wizard located in the Account Settings window using your Beloit Account user name, beloit.edu or stu.beloit.edu as your POP server depending on the server listed after the @ symbol in your email address, and bcmail.beloit.edu as the SMTP server. Doing this will not automatically enable TLS encryption or authentication using the Beloit College mail server. Encryption and authentication are not required for using the mail server from an on campus location, however, ISR recommends enabling it to protect your password. If you intend to use the Beloit College mail server from an off campus location, you must enable encryption and authentication in order to be able to send mail. 1. Open the Account Settings window by clicking on Account Settings from the Entourage menu. 2. From the Accounts window, select your Beloit College email account. Once highlighted, click the Edit button from the toolbar above. If you cannot see the account, make sure that the Mail tab is highlighted.
3. From the Edit Account window, be sure that the Account Settings tab is highlighted. In the middle of the window, under Receiving Mail, click the Click here for advanced receiving options button. Check the box This POP service requires a secure connection. Leave the Override default POP port and Always is secure password unchecked. Your password will be secured with SSL without this box being checked, and checking it will cause Entourage to be unable to check your incoming mail. Click the small box in the upper left corner to close this window.
4. At the bottom of the window, under Sending mail, change the SMTP server to bcmail.beloit.edu.
5. Click the Click here for advanced sending options button, under the SMTP Server field. Check the box SMTP service requires secure connection (SSL). If you want to use bcmail to send mail from an off campus location, ISR strongly recommends changing the default port from 25 to 2525 since many local ISPs block outgoing traffic on port 25. To enable port 2525, check the box Override default SMTP port and enter 2525. If you only want to use bcmail to send mail on campus, you can leave the box unchecked and the port at 25. Check the box SMTP server requires authentication and then select Log on using and enter your user name in the Account ID field. Click the small box in the upper left corner of the pop up window to close it. Click OK to save your settings and close the Accounts window.
6. Send a test message to yourself. If a warning window appear that says the Entourage cannot verify the root certificate and will not continue on in SSL, skip down to the certificate issues section of this guide. Clicking OK will allow you to send mail, but you will not have encryption available which will cause Entourage to fail to send mail if you are mailing from an off campus location. If Entourage prompts you for a password and afterwards does not warn you about a certificate being un-trusted, continue with the next step.
7. Now attempt to retrieve your mail. If you get an Unable to establish secure connection, please read the certificate issues section. Entourage will still retrieve your mail, but it will not use encryption to do so. You may be prompted for your password, if you have not enabled the save password feature earlier. You should see the test message you sent earlier and any new mail you have received since the last time you logged in. Entourage is now configured to send mail and off campus using TLS encryption. Resolving root certificate issues Entourage uses the system keychain to verify SSL certificates. Entourage also gives no option itself to import the certificate to the keychain, nor does it seem to give you the option to accept the certificate into its own certificate manager. Entourage uses a certain system keychain, so you may already have the certificate in one keychain, but not the other. The symptoms of a certificate either missing or in the wrong keychain are a window that pops up after your password has been entered that says in bold Unable to establish a secure connection to <server name> because the correct root certificate is not installed. Note that fixing this problem will require administrative access to your machine. If the account that you normally use to login to your machine is an administrator account, then you can use it. You will have to supply the account s password.
1. Open Keychain Access by going to the Utilities folder on your hard disk or by using the Go menu in the finder. 2. Click in the search bar in the corner of the screen, type in netr. This should return at least one certificate named netreg.beloit.edu. The keychain should be login. If it returns nothing, then in step four you must download the certificate instead of exporting it. 3. The top center pane gives additional information about the certificate. The certificate name, type, and expiration date are given. Underneath the expiration date, there should be a red X and a message in red that says that the certificate is not in the trusted root database. 4. You can either export the certificate to your desktop using Keychain Access, or you can download it here. To export the certificate using Keychain Access, highlight the certificate and go to File > Export. You can save the file wherever you want, but putting it on the desktop usually makes it easier to find. Take the default name, but make sure that it saves at type.cer Certificate.
5. Double click on the certificate that you have either exported or downloaded. Keychain Access will open it automatically. You must change the keychain you wish to import to from login to X509 anchors. Click ok and you will be prompted for an account to use and password. This account must have administrative access in order to be able to import the certificate. If OS X tells you that it cannot import because you do not have Administrative privileges, then you must use a different account when it prompts for your password. If Keychain Access tells you that in cannot import because the certificate is already in the keychain, then make sure that X509 anchors is the keychain that you are importing to. If it is, restart your computer so that the system can recognize the addition to the root database. 6. Going back to Keychain access and searching for netr should reveal two certificate listings. Searching for the full string netreg can sometimes only return one entry, so be sure to use either netr as your search. One will be in the login keychain and the other will be in X509 anchors. Clicking on either one will still show the This certificate is not in the trusted root database warning. You must restart your computer for these changes to take effect. After a reboot, open Keychain Access once again. Clicking on the netreg certificate in either the login or X509 anchor keychains should show a green check and message that says This certificate is valid.
7. Open Entourage and send yourself a test message. The warning about Entourage being unable to establish a secure connection with bcmail.beloit.edu because the correct root certificate is not installed should be gone. Attempt to check your mail. The warning should also be gone here as well. Note: if you use beloit.edu as your incoming mail server, there is a known issue with its certificate. You will be unable to install the root certificate for beloit.edu. This is an issue that will be resolved by January 2008. When the issue is resolved, beloit.edu will rely on the netreg root certificate and Entourage will no longer prompt you about an insecure connection, provided that you have followed the steps above dealing with how to install the root certificate. It only needs to be installed once.