Solved

Email, SMTP security and encryption end -to- end servers.

Posted on 2014-10-06
1
593 Views
Last Modified: 2014-10-07
I have question regarding encryption of email messages from a end user to receiver user.
Putting SSL on exchange server, it encrypts message traffic from a client to the server and either way. What about the SMTP traffic between the server to the receiver's SMTP server and from the receiver SMTP server to the receiver's interface?

sender--------sending SMTP server--------Internet---------receiving SMTP server----receiver

Question 1:
In this case, I put SSL on my Microsoft exchange server between sender and the sending SMTP server. So it encrypts the message. When the message leaves the sendng SMTP server and during the trip to the receiing SMTP server, how does the message decides what encryption to choose and how can I choose it and deploy?

Question 2:
Even when the sending SMTP server enfoce the high encryption method, if the receiving SMTP server doesn't have the encryption method, then how the two servers negotiate the encryption to use?
0
Comment
Question by:crcsupport
1 Comment
 
LVL 33

Accepted Solution

by:
Dave Howe earned 500 total points
ID: 40365623
A lot here depends on the software being used on the two mail servers, but taking a typical example of explicit TLS, each mail server can be set to one of the following for inbound:

a) allow unencrypted connections, offer TLS in response to EHLO requests (requires cert on server)
b) require TLS

for outbound:
a) allow unencrypted connections, support TLS if offered (aka "opportunistic TLS")
b) require TLS, but don't require a valid certificate
c) require TLS, require a valid certificate, but don't authenticate the signature (so self signed ok, wrong name or validity period rejected)
d) require TLS, require a valid certificate signed by a CA

so in your chain, you have inbound from sender to mailserver A, outbound from mailserver A to mailserver B, inbound from mailserver A to mailserver B (same connection obviously, but two points of view), outbound from mailserver B to recipient.

for mailserver B, there is also the possibility (actually, quite probable) that the mail is held on the server and pulled to the recipient, using (eg) POP3 or IMAP - these would count as "inbound" connnections, so the options for inbound would apply.

Note, all of this is TRANSPORT security - usually end-to-end implies client encryption such as pgp, s/mime or CRES, which is a separate/independent solution (and can be used in addition to or as an alternative to transport security)
0

Featured Post

Do email signature updates give you a headache?

Do you feel like all of your time is spent managing email signatures? Too busy to visit every user’s desk to make updates? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today!

Join & Write a Comment

Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now