Thursday, November 3, 2016

TLS for SMTP how do we check if our mailserver support it?

Tools for checking  TLS support and email servers exist and should be used to validate that your mailsystem can use TLS

https://www.checktls.com

https://ssl-tools.net/mailservers/ 


ssl tools is the best out of the 2 with reports on errors and  weak systems. Take this MX host


 

You can use  openssl and starttls for testing  mailservers;


e.g

 openssl s_client -connect yourmailhost.mydomain.com:25 -starttls smtp -ssl3


Why do we care for  TLS  within our email systems?


We need to ensure we  use encryption during transport and that we are not exposed or vulnerable.

For various compliance requirements we want to  protect data sent between 2 parties, by using and enforcing  TLS per rcpt domain we can ensure we at least protect mail in transit. IBE  ( identity base encryption is better or just encrypting the mail data as a attachment  is even better )

Many pro and con exist for mail security and the management of  these  methods could require more support and add complexity.

At minimum we should support TLS for SMTP connections and ensure we are running TLS v1.0 or better an with a strong cipher.


Ken Felix

NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 

        /  \

No comments:

Post a Comment