shadowtuck
asked on
Question on TLS, MTLS and email server to email server communication
Been trying to read up on this but its confusing. Let me give you an example. I am just talking server to server communication here. No clients unless you want to consider one server a client.
A user sends an email. Their server does not support TLS or encryption of any kind. The receiving gateway supports opportunistic TLS. Does the email from the server to the gateway get encrypted? I can't see how if the sending server has no certificate to encrypt the email.
Reverse this now. User behind the gateway which does support TLS encryption sends an email and the same receiving server receives it. Again, is the email encrypted? The gateway has a certificate but the receiving server does not. Receiving server does not understand TLS so again no encryption, correct?
Now both have certificates and support TLS. Email gets encrypted in both directions, but is this considered MTLS because they both have certificates?
You not believe how many different ways this gets explained and they are probably all right but explained differently.
I have read most of the articles so please don't just post a link. I need someone that understand TLS and email to explain it to me.
Thanks
A user sends an email. Their server does not support TLS or encryption of any kind. The receiving gateway supports opportunistic TLS. Does the email from the server to the gateway get encrypted? I can't see how if the sending server has no certificate to encrypt the email.
Reverse this now. User behind the gateway which does support TLS encryption sends an email and the same receiving server receives it. Again, is the email encrypted? The gateway has a certificate but the receiving server does not. Receiving server does not understand TLS so again no encryption, correct?
Now both have certificates and support TLS. Email gets encrypted in both directions, but is this considered MTLS because they both have certificates?
You not believe how many different ways this gets explained and they are probably all right but explained differently.
I have read most of the articles so please don't just post a link. I need someone that understand TLS and email to explain it to me.
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks evrydayzawrkday. The whole point of this post is to find out if all our inbound email is encryptped. Forget Exchange. We have a gateway that encrypts inbound and outbound email but it sounds like there is no guarantee inbound will be encrypted unless the sending server intiates it first. Not all servers do. Unless the sending server initiates a StartTLS command, its going to come over in clear text regardless of whether the receiving gateway supports TLS.
In order to ensure encryption always, sounds like MTLS is needed but that would probably cause a number of emails to drop I am guessing.
In order to ensure encryption always, sounds like MTLS is needed but that would probably cause a number of emails to drop I am guessing.
Shadowtuck,
You are absolutely correct. You might get Opp TLS between your smarthost and Exchange, but I cannot guarantee (without using MTLS) that from the smarthost outbound would be encrypted.
To ensure encryption of sensitive data, I would recommend using MutAuth TLS (MTLS) between the smarthost and other companies in which you share confidential data with.
You are absolutely correct. You might get Opp TLS between your smarthost and Exchange, but I cannot guarantee (without using MTLS) that from the smarthost outbound would be encrypted.
To ensure encryption of sensitive data, I would recommend using MutAuth TLS (MTLS) between the smarthost and other companies in which you share confidential data with.
SImon.