Avatar of shadowtuck
shadowtuck asked on

Question on TLS, MTLS and email server to email server communication

Been trying to read up on this but its confusing. Let me give you an example. I am just talking server to server communication here. No clients unless you want to consider one server a client.

A user sends an email. Their server does not support TLS or encryption of any kind. The receiving gateway supports opportunistic TLS. Does the email from the server to the gateway get encrypted? I can't see how if the sending server has no certificate to encrypt the email.

Reverse this now. User behind the gateway which does support TLS encryption sends an email and the same receiving server receives it. Again, is the email encrypted? The gateway has a certificate but the receiving server does not. Receiving server does not understand TLS so again no encryption, correct?

Now both have certificates and support TLS. Email gets encrypted in both directions, but is this considered MTLS because they both have certificates?

You not believe how many different ways this gets explained and they are probably all right but explained differently.

I have read most of the articles so please don't just post a link. I need someone that understand TLS and email to explain it to me.

ExchangeInternet Protocols

Avatar of undefined
Last Comment
Adam Farage

8/22/2022 - Mon
Adam Farage

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Simon Butler (Sembee)

No opportunist TLS in Exchange 2003. It was either on or off. If it is was on, then you lost about 90% of email.


Thanks evrydayzawrkday. The whole point of this post is to find out if all our inbound email is encryptped. Forget Exchange. We have a gateway that encrypts inbound and outbound email but it sounds like there is no guarantee inbound will be encrypted unless the sending server intiates it first. Not all servers do. Unless the sending server initiates a StartTLS command, its going to come over in clear text regardless of whether the receiving gateway supports TLS.

In order to ensure encryption always, sounds like MTLS is needed but that would probably cause a number of emails to drop I am guessing.
Adam Farage


You are absolutely correct. You might get Opp TLS between your smarthost and Exchange, but I cannot guarantee (without using MTLS) that from the smarthost outbound would be encrypted.

To ensure encryption of sensitive data, I would recommend using MutAuth TLS (MTLS) between the smarthost and other companies in which you share confidential data with.
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.