Index | Prev | Next

Securing email

Niagara supports secure outgoing and incoming email using TLS (Transport Layer Security).
Prerequisites: The EmailService is in your Services container with both IncomingAccount and OutgoingAccount components. If not, add the EmailService component from the email palette before you begin. You may have multiple incoming and outgoing accounts, which allow you to set up connections to servers that support secure communication and others that may not.

Follow this procedure for both your incoming and outgoing accounts.

Perform the following steps:
  1. In the station's Nav tree, right-click the IncomingAccount or OutgoingAccount node under the EmailService container and click Views > Property Sheet. The account Property Sheet opens.
  2. As of Niagara 4.13, for Email Authenticator, select the preferred email authentication type (for example, by Microsoft 365/Exchange and Gmail). For more information, see “email-IncomingAccount” and “email-OutgoingAccount” components in the Niagara Alarms Guide.
  3. The system provides two secure communication options:

    Image

    • The default, Use Ssl, encrypts the connection before it is ever opened. To do the encryption, it automatically accepts the TLS version that is configured in the Tls Min Protocol, using the best TLS level that is supported by both the station and the server.
    • Use Start Tls makes it possible to connect to an unprotected email server. The handshake occurs without encryption, then switches to encrypt the message itself.

      Use Ssl and Use Start Tls are mutually exclusive. Both may be false.

    • For Tls Min Protocol, select the minimum acceptable TLS version to use.
  4. To provide secure email, set one property to true, and the other false.

    The example shows the configuration when Transport is set to Smtp.

    Incoming and outgoing messages use different ports for secure communication as follows:

    Email ports based on transport type

      Outgoing (SMTP) Incoming (IMAP) Incoming (POP3)
    Not encrypted 25 143 110
    Use Start Tls 587 143 110
    Use Ssl 465 993 995

    Not all servers follow these rules. You may need to check with your ISP (Internet Service Provider).

     NOTE: Do not enable or disable the Use Ssl or Use Start Tls properties without configuring the Port.  
  5. Change the Port to the appropriate port number (defaults are: 25 for outgoing and 110 for incoming email).
    The system also provides server identity verification. For most email servers, the root certificate is already in the System Trust Store.
  6. If no root CA certificate for the email server is in the station's System Trust Store (third-party signed certificate) or in the User Trust Store (your own certificate if you provide your own secure email server), either:
    • Import your own or a third-party signed root CA certificate into the station’s User Trust Store.
    • Or, if you do not have a signed certificate yet, accept the system-generated, self-signed certificate when challenged. This creates an exemption in the Allowed Hosts list. Later, import the root CA certificate and delete this temporary exemption.

Related Links

  • Email setup (Parent Topic)

    • Index | Prev | Next