Verify the connection is made on SMTP Over TLS

Muhammad Asif
Muhammad Asif used Ask the Experts™
on
I have mentioned the email header below. Can someone please confirm that email received by email security gateway  " esg1.abc.com" from sl.ab-bev.com [104.168.167.27, is through connecting a connection on SMTP over TLS/

Moreover what is mean by verify=NO in the below header.

Moreover what is mean

from sl.ab-bev.com (sl.ab-bev.com [104.168.167.27]) by esg1.abc.com with ESMTP id iYM5xoyaE6GTt8HE (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO)
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Commented:
version=TLSv1.2 indicates what you wished for, the whole email traffic was encrypted.
The Verify=NO, is correct, mail servers do not authenticate with each other (how can they even? they don't know each other).
Verify=YES is when you're Outlook setup is talking to an SMTP server, that needs authentication (otherwise, it's an open relay!)
David FavorFractional CTO
Distinguished Expert 2018

Commented:
There is no way you can tell this, except to look in the esg1.abc.com logs at connections from sl.ab-bev.com because protocol negotiations are based on both parties, sending MTA (sl.ab-bev.com) + receiving MTA (esg1.abc.com) so the best you can do is to connect to your receiving MTA to determine if that MTA handles TLS connections.

That's all that can be determined, from the outside.

Looking at logs will tell you the details of a connection pair.
David FavorFractional CTO
Distinguished Expert 2018

Commented:
Re-reading your question, what you're asking is a bit vague, as it's unclear if you're talking about authenticated submission or promiscuous submission.

1) For authenticated, port 587 submission, this will always require an authenticated login. If the protocol type is forced to TLS, then the connection will always be TLS... at the protocol level (like TLSv1.2) setting of the MTA being used.

2) For promiscuous TLS submission, see my previous comment.
Muhammad AsifSenior Solutions Architect

Author

Commented:
I have found the answer on Technet.

Yes, its using TLS.

In this context, Verify typically means the authenticity of the cert and its chain wasnt verified, because it doesnt need to be, all the matters is that a cert exists. This is common with Opportunistic TLS
David FavorFractional CTO
Distinguished Expert 2018

Commented:
Tip: As I recall, last time I hit this type of problem I just generated a https://LetsEncrypt.org TLS cert for use with Opportunistic TLS.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial