Remote email access requires the use of encryption to protect your user name and password. To use encryption you must accept BGC's self signed certificates.
¹You should permanently accept the self signed n50.bgcaus.com certificate via a trusted network such as your ISP, the BGC LAN or a licensed carrier before you travel.
| Mail Folder | Local and remote | Local only | |
|---|---|---|---|
| Type | IMAP IMAP4 IMAP2 | IMAP IMAP4 IMAP2 | |
| Host | n50.bgcaus.com [202.189.69.150] | mail.bgc.com.au [10.46.1.36] | |
| Port | 993 IMAPS | 143 IMAP | |
| Encryption | SSL¹ | Plaintext | |
| AUTHENTICATE | LOGIN | LOGIN | |
| Mail Submission | ISP (example) | Ideal² (Alternate) | Local only |
| Host | mail.amnet.net.au | n50.bgcaus.com [202.189.69.150] | smtp.bgc.com.au [10.46.1.36] |
| Port | 25, 587 (465 SMTPS) | 587 SUBMISSION² (25 SMTP) | 25 SMTP (587 SUBMISSION) |
| Encryption | StartTLS³ (SSL) | StartTLS¹ (Plaintext) | Plaintext |
| AUTH | None | PLAIN (CRAM-MD5) | None |
| WWW Proxy | Remote only | Local only | |
| Host | None (ISPs do transparent for expensive nets) | proxy.bgc.com.au [10.46.1.35] | |
| Port | N/A | 3128 | |
| Encryption | N/A | Plaintext | |
| Authentication | N/A | None | |
²You will need to be added to the relay list so that your SMTP session can be AUTHenticated for email relay. Your password is also required so that AUTH CRAM-MD5 may be used. Otherwise you will only be able to send email to BGC. If you use the ISP's SMTP then you may only be able to send email to BGC as the ISP's SMTP may have not been authorised (in the DNS) to relay email for our domains. Amnet's mail.amnet.net.au is in our SPF so Amnet customers should have email accepted with a BGC from address.
³Ideally these should also be encrypted. (If unencrypted this may facilitate Meet-In-The-Middle attacks. See your ISP's set-up guides for instructions on how to enable encrypted email access.)
# Possible ports available for ISP services daytime 13/tcp # [RFC-867] daytime 13/udp # [RFC-867] time 37/tcp timserver # [RFC-868] 19000101000000Z = 0 time 37/udp timserver # [RFC-868] or Unix + 25567 * d ssh 22/tcp # SSH Remote Login Protocol smtp 25/tcp mail # [RFC-821,1123,2821] domain 53/tcp # name-domain server domain 53/udp # name-domain server pop3 110/tcp pop-3 # POP version 3 and 4 nntp 119/tcp readnews untp # USENET News Transfer Protocol ntp 123/udp # Network Time Protocol imap2 143/tcp imap # Interim Mail Access P 2 and 4 ssmtp 465/tcp smtps # SMTP over SSL nntps 563/tcp snntp # NNTP over SSL submission 587/tcp # Submission [RFC4409] imaps 993/tcp # IMAP over SSL pop3s 995/tcp # POP3 over SSL
We filter traffic from the Internet so valid Internet Message Format and Simple Mail Transfer Protocol (SMTP) must be used. As a result of our filtering our IMAP and SMTP access does not work with Microsoft Office Outlook or Outlook Express. Your own machine should match the Standard Operating Environment (SOE) in the Acceptable Use Policy (AUP). Suitable user agents include Mozilla Seamonkey and possibly Thunderbird, Opera M2 and Apple Mail. GNU/Linux users should use Sylpheed (gtk) or Mutt (ncurses).
Authenticated relay users are subject to the stronger checks of our reputation filter than is email from the Internet for local delivery only.
The machines used in Internet Cafes may be vulnerable.
Using the "On-Screen Keyboard" at Internet Cafes is believed to pose a risk that some one can see what you are entering, however it not been demonstrated and mitigation of this perceived risk may actually be worse. (Corner case - the exception that proves the rule: The only time I remembered doing this was by stealth pressing the half duplex button on terminal when shoulder to shoulder with another user who was entering their password. My eyes were much better then than they aer now. Not being that way inclined to be that close discovered that the EBCDIC card punch machines still worked so coded in F in a mountain of chad.)
Note that Man-In-The-Middle attacks are also still possible if the machine that is Internet Sharing has been compromised. It is better to use your own laptop on which you have permanently accepted the n50.bgcaus.com certificate as for IMAP access above.¹
Apple iPhone 3.1.3 no longer accepts self signed certificates correctly as part of the SSH process using DH. This differs from the sample we originally reviewed. There may be new "regressions" so do not change the iPhone firmware unless instructed to do so by the BGC IT Department.
To remove an expired certificate you will need to use "Settings/General/Profile/Remove". Our certificates are not changed until they expire. Until it expires so should never accept a new one before expiry unless instructed by the BGC IT Department. The new one should be only downloaded via a trusted network as described above.
To add a certificate on an iPhone without SSH use the link. You must always accept the n50.bgcaus.com self signed certificate for www access. This will then try to open the certificate in a new window. When prompted to install the n50.bgcaus.com certificate by tapping "Install". You will then be prompted with "Install Profile" tap "Install Now" to proceed. If successful you should get "Profile Installed".