SMTP whitelisting - instructions provided from support back to customers
I'm trialling PIA, and as part of that discovered that SMTP servers need to be whitelisted - so I wrote to support, and they whitelisted my SMTP server.
I was confused why my 'email address' had to be provided (https://helpdesk.privateinternetaccess.com/hc/en-us/articles/219457007-Why-can-t-I-send-email-when-on-the-VPN- - ("the email address(es) being blocked"), so I omitted that. Surely PIA wouldn't get to see or know anything of that?
The whitelisting did work (sending mail is going OK now), but I was also given some strange instructions back, which so far, the support hasn't been able to explain.
Can anyone explain what might be behind these instructions? They don't seem to be necessary, and are quite concerning (since without SSL, PIA - and anyone /after/ PIA could see the plaintext - including the credentials) and especially the last one implies PIA are parsing the username somehow.
However, openssl/STARTTLS checks do work, so I'm fairly sure the traffic isn't actually being intercepted by any PIA server (over and above normal VPN behaviour, anyway.) When I asked for an explanation, I was asked to prove I was a customer (which I did, but still, no explanation comes - only requests for screenshots of my email client.)
I was confused why my 'email address' had to be provided (https://helpdesk.privateinternetaccess.com/hc/en-us/articles/219457007-Why-can-t-I-send-email-when-on-the-VPN- - ("the email address(es) being blocked"), so I omitted that. Surely PIA wouldn't get to see or know anything of that?
The whitelisting did work (sending mail is going OK now), but I was also given some strange instructions back, which so far, the support hasn't been able to explain.
- I was told to switch to using the IP address of the SMTP server, not the hostname (later I'm told this apparently to 'not have to worry about the DNS request' - but that seems strange to me - if THIS DNS request is a worry, then ALL my requests are a worry)
- To stop using SSL/TLS (apparently due to the above switch to IP)
- To change the username I provide to be the 'full email address', not just the 'username' part
Can anyone explain what might be behind these instructions? They don't seem to be necessary, and are quite concerning (since without SSL, PIA - and anyone /after/ PIA could see the plaintext - including the credentials) and especially the last one implies PIA are parsing the username somehow.
However, openssl/STARTTLS checks do work, so I'm fairly sure the traffic isn't actually being intercepted by any PIA server (over and above normal VPN behaviour, anyway.) When I asked for an explanation, I was asked to prove I was a customer (which I did, but still, no explanation comes - only requests for screenshots of my email client.)
Comments
The reason we ask you to switch to an IP is that many services use round-robin DNS, so there's a significant chance that you'll be assigned an IP that has not been whitelisted if you continue using the hostname of the SMTP server. The DNS request itself isn't a worry at all, so long as you're not leaking!
You should continue using SSL/TLS.
There shouldn't be any issue with the username, either.
It looks like there was a bit of confusion here on our side, so I've made sure to send this through the appropriate channels to be addressed.
I offered 'round robin' as a potential reason for switching to IP-only ("Maybe the directive to switch to the IP address is because you've only whitelisted that specific IP, and you're concerned that the hostname may rotate through several IPs?") but the agent didn't appear to agree that was the reason!
I highly appreciate the response here on the forum, I'll stick around with PIA a bit longer!
If you have any other questions please let us know!
https://www.privateinternetaccess.com/forum/discussion/34165/smtp-whitelist-policy-14th-june-2018