By Christian Lepore |

Client Configuration for Campus Access

To configure your email client to connect to the SDCC mail server and authenticate with your account credentials from within the BNL campus:

  1. In your client preferences or settings, create an account with the following attributes:
    • Incoming server (IMAP):
      • Username/password: Your SDCC email account and email account password (separate from your SDCC account password)
      • IMAP server: rcf.rhic.bnl.gov
      • Port: 993
      • Security type: SSL (or SSL/TLS)
      • IMAP path prefix: None (leave blank).
    • Outgoing server (SMTP):
      • SMTP server: rcf.rhic.bnl.gov
      • Port: 587
      • Security type: SSL (or SSL/TLS)
        Note: some users report that STARTTLS works instead for their clients
      • Require authentication (or sign-in): Yes (enable)
      • Username/password: Your SDCC email account and password
  2. Save your account settings. The remainder of your mail client settings are orthogonal to your account connection, possibly client-specific, and should not affect your ability to connect to the SDCC mail server.

Client Configuration for Offsite Access (SSH SOCKS Proxy Tunnel Method)

The SDCC maintains an authenticating SMTP server allowing RHIC users with a valid SDCC email account to send mail through our server from outside of the BNL network.

If you are attempting to send mail from outside the BNL campus, you may connect to the email servers by using the SSH SOCKS proxy tunnel method, assuming your mail client permits SOCKS proxy tunneling.

You may enable SOCKS proxy tunneling either in your SSH config file or as a command-line argument when invoking SSH in a terminal window. Both methods listed below achieve the same goal, and it is not necessary to use both methods.

In your SSH Config (~/.ssh/config)

  • Use the "DynamicForward 1080" variable to receive mail from the IMAP server & send mail

SSH command line:

Use on the argument "-D 1080 your.username@ssh.sdcc.bnl.gov"

Configuring your mail client

In your mail client preferences or settings, look for the option to configure your client to use a SOCKS proxy tunnel:

  • Select manual proxy configuration
  • SOCKS Host: localhost
  • Port: 1080
  • Enable “Proxy DNS when using SOCKS v5”
  • In your mail client, go to account settings and set the outgoing (SMTP) server to rcf.rhic.bnl.gov:587

The advantage of using this SOCKS proxy tunnel connection is that the client is connecting to the mail server, no certificate exception is needed, and any server-side certificate renewals will be transparent to the client.

If Thunderbird is your mail client:

When configured, the Mozilla Thunderbird will use the SOCKS proxy for both incoming and outgoing connections, and a second SSH tunnel for outgoing traffic is not required. Configure the SOCKS proxy tunnel as above for IMAP connections, and then configure Thunderbird as follows for SMTP:

  • Server: rcf.rhic.bnl.gov
  • Port: 25
  • Auth: None
  • Security: None

Technical details

Authenticated SMTP can use three ports, namely 25 (SMTP), 465 (SMTPS) and 587 (mail message submission). We do not allow access through ports 25 or 465, so you need to configure your email client to use port 587.

Configure your client to use rcf.rhic.bnl.gov as the outgoing SMTP server. Select the appropriate port supported by your e-mail client. Enter your SDCC email account user name for the connection to the server and make sure that the client will use SSL when connecting.

You will have to accept our self-signed SSL certificate the first time that you send mail through the SDCC server.

Restrictions

As of April 15, 2020, all non-MFA-protected IMAP servers at DOE facilities are blocked from the Internet. 

As of September 2024, users looking to access their email offsite need to access incoming (IMAP) and outgoing (SMTP) traffic through SSH tunnels, as outlined above. 

As of September 2024, Cyber Security requirements mandate that any password change from this point must be >= 16 characters long. Users whose email passwords don't currently comply with existing requirements will be contacted to change their passwords, which will need to meet this new 16-character mandate.