Ping a Specific Port

Question

Jestep

Asked: 2010-09-23 08:14:31 +0800 CST2010-09-23 08:14:31 +0800 CST 2010-09-23 08:14:31 +0800 CST

Secure email routing

772

We have relationships with some banks that are trying to implement some secure email. Is there any method that would force the server to send emails via TLS when sending email to a specific domain? This is a cpanel/WHM server.

We basically need to require that an email be secure from user -> mail server and from mail server -> bank's server.

I'm not entirely familiar with what happens after the email leaves my email program. If I send a message over TLS or SSL outgoing connection, does the email leave the mail server also over a secure connection? I have no problem implementing TLS from the client to the mail server. It's after it gets to the mail server that I am unclear on.

Any help on this would be appreciated.

3 Answers

Voted

sysadmin1138 · Answer 1 · 2010-09-23T08:24:43+08:00

Others can talk about the cpanel-specific issues, but I can talk to SMTP TLS.

A TLS connection is negotiated between two mailers as part of the ESMTP negotiation process. Most mailers can be configured to prefer TLS connections over plain ones (or not, encryption does cost CPU cycles), and the major Linux mailers also have the ability to set per-domain mail policies that include TLS settings. So you can specify wellsfargo.com gets TLS, but gmail.com doesn't for instance. Mailers are pretty good these days about stamping Received-By: headers with (TLS) if it received the mail over a TLS connection.

This will encrypt the mail in transit between actual mailers. Encrypting it between the sender and the mailer will require the sender to use an encrypted method to send, either TLS or SSL. Requiring login to send mail and only allowing logins over encrypted methods will accomplish this.

If you require the mail to be encrypted while in mail queues, then you'll have to encrypt the mails themselves with either S/MIME or PGP/GPG.

BillThor · Answer 2 · 2010-09-23T08:29:43+08:00

BillThor

2010-09-23T08:29:43+08:002010-09-23T08:29:43+08:00

Check the TLS/SSL chapter in the Exim Specification. If you have TLS enabled, it will be used on outgoing connections to servers which advertise STARTTLS. TLS will be required for hosts listed in the hosts_require_tls option. This should be set at the beginning of the Exim configuration file.

2

Bart Silverstrim · Answer 3 · 2010-09-23T08:37:33+08:00

Bart Silverstrim

2010-09-23T08:37:33+08:002010-09-23T08:37:33+08:00

Personally (and for management), I'd not trust this, if for no other reason than if something went wrong you might not know about it without strict monitoring of the logs and it depends on not just your server's config, but all the other organizations staying on board and you have no control over their updates/alterations/politics. I'd rather keep more control and do it with PGP on the user mail clients. You'll be sure that the mails are encrypted end to end that way, even if the mail server is compromised, not just in the transit channel.

1

Secure email routing

Ping a Specific Port

How do I tell Git for Windows where to find my private RSA key?

How do you restart php-fpm?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Resolve host name from IP address

How can I sort du -h output by size

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?