Solved

Email, SMTP security and encryption end -to- end servers.

Posted on 2014-10-06
1
624 Views
Last Modified: 2014-10-07
I have question regarding encryption of email messages from a end user to receiver user.
Putting SSL on exchange server, it encrypts message traffic from a client to the server and either way. What about the SMTP traffic between the server to the receiver's SMTP server and from the receiver SMTP server to the receiver's interface?

sender--------sending SMTP server--------Internet---------receiving SMTP server----receiver

Question 1:
In this case, I put SSL on my Microsoft exchange server between sender and the sending SMTP server. So it encrypts the message. When the message leaves the sendng SMTP server and during the trip to the receiing SMTP server, how does the message decides what encryption to choose and how can I choose it and deploy?

Question 2:
Even when the sending SMTP server enfoce the high encryption method, if the receiving SMTP server doesn't have the encryption method, then how the two servers negotiate the encryption to use?
0
Comment
Question by:crcsupport
1 Comment
 
LVL 33

Accepted Solution

by:
Dave Howe earned 500 total points
ID: 40365623
A lot here depends on the software being used on the two mail servers, but taking a typical example of explicit TLS, each mail server can be set to one of the following for inbound:

a) allow unencrypted connections, offer TLS in response to EHLO requests (requires cert on server)
b) require TLS

for outbound:
a) allow unencrypted connections, support TLS if offered (aka "opportunistic TLS")
b) require TLS, but don't require a valid certificate
c) require TLS, require a valid certificate, but don't authenticate the signature (so self signed ok, wrong name or validity period rejected)
d) require TLS, require a valid certificate signed by a CA

so in your chain, you have inbound from sender to mailserver A, outbound from mailserver A to mailserver B, inbound from mailserver A to mailserver B (same connection obviously, but two points of view), outbound from mailserver B to recipient.

for mailserver B, there is also the possibility (actually, quite probable) that the mail is held on the server and pulled to the recipient, using (eg) POP3 or IMAP - these would count as "inbound" connnections, so the options for inbound would apply.

Note, all of this is TRANSPORT security - usually end-to-end implies client encryption such as pgp, s/mime or CRES, which is a separate/independent solution (and can be used in addition to or as an alternative to transport security)
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Sendmail STARTTLS error 37 101
Best secure sending email service 1 60
Uninstall Exchange 2013 error 1 73
Changed email server and mail going to both servers 19 38
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
The new Gmail Phishing Scam going around is surprising even the savviest of users with its sophisticated techniques.
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question