Link to home
Start Free TrialLog in
Avatar of shadowtuck

asked on

Question on TLS, MTLS and email server to email server communication

Been trying to read up on this but its confusing. Let me give you an example. I am just talking server to server communication here. No clients unless you want to consider one server a client.

A user sends an email. Their server does not support TLS or encryption of any kind. The receiving gateway supports opportunistic TLS. Does the email from the server to the gateway get encrypted? I can't see how if the sending server has no certificate to encrypt the email.

Reverse this now. User behind the gateway which does support TLS encryption sends an email and the same receiving server receives it. Again, is the email encrypted? The gateway has a certificate but the receiving server does not. Receiving server does not understand TLS so again no encryption, correct?

Now both have certificates and support TLS. Email gets encrypted in both directions, but is this considered MTLS because they both have certificates?

You not believe how many different ways this gets explained and they are probably all right but explained differently.

I have read most of the articles so please don't just post a link. I need someone that understand TLS and email to explain it to me.

Avatar of Adam Farage
Adam Farage
Flag of United States of America image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Simon Butler (Sembee)
No opportunist TLS in Exchange 2003. It was either on or off. If it is was on, then you lost about 90% of email.

Avatar of shadowtuck


Thanks evrydayzawrkday. The whole point of this post is to find out if all our inbound email is encryptped. Forget Exchange. We have a gateway that encrypts inbound and outbound email but it sounds like there is no guarantee inbound will be encrypted unless the sending server intiates it first. Not all servers do. Unless the sending server initiates a StartTLS command, its going to come over in clear text regardless of whether the receiving gateway supports TLS.

In order to ensure encryption always, sounds like MTLS is needed but that would probably cause a number of emails to drop I am guessing.

You are absolutely correct. You might get Opp TLS between your smarthost and Exchange, but I cannot guarantee (without using MTLS) that from the smarthost outbound would be encrypted.

To ensure encryption of sensitive data, I would recommend using MutAuth TLS (MTLS) between the smarthost and other companies in which you share confidential data with.