0

We have relationships with some banks that are trying to implement some secure email. Is there any method that would force the server to send emails via TLS when sending email to a specific domain? This is a cpanel/WHM server.

We basically need to require that an email be secure from user -> mail server and from mail server -> bank's server.

I'm not entirely familiar with what happens after the email leaves my email program. If I send a message over TLS or SSL outgoing connection, does the email leave the mail server also over a secure connection? I have no problem implementing TLS from the client to the mail server. It's after it gets to the mail server that I am unclear on.

Any help on this would be appreciated.

Jestep
  • 643
  • 1
  • 7
  • 11

3 Answers3

3

Others can talk about the cpanel-specific issues, but I can talk to SMTP TLS.

A TLS connection is negotiated between two mailers as part of the ESMTP negotiation process. Most mailers can be configured to prefer TLS connections over plain ones (or not, encryption does cost CPU cycles), and the major Linux mailers also have the ability to set per-domain mail policies that include TLS settings. So you can specify wellsfargo.com gets TLS, but gmail.com doesn't for instance. Mailers are pretty good these days about stamping Received-By: headers with (TLS) if it received the mail over a TLS connection.

This will encrypt the mail in transit between actual mailers. Encrypting it between the sender and the mailer will require the sender to use an encrypted method to send, either TLS or SSL. Requiring login to send mail and only allowing logins over encrypted methods will accomplish this.

If you require the mail to be encrypted while in mail queues, then you'll have to encrypt the mails themselves with either S/MIME or PGP/GPG.

sysadmin1138
  • 133,124
  • 18
  • 176
  • 300
2

Check the TLS/SSL chapter in the Exim Specification. If you have TLS enabled, it will be used on outgoing connections to servers which advertise STARTTLS. TLS will be required for hosts listed in the hosts_require_tls option. This should be set at the beginning of the Exim configuration file.

BillThor
  • 27,737
  • 3
  • 37
  • 69
1

Personally (and for management), I'd not trust this, if for no other reason than if something went wrong you might not know about it without strict monitoring of the logs and it depends on not just your server's config, but all the other organizations staying on board and you have no control over their updates/alterations/politics. I'd rather keep more control and do it with PGP on the user mail clients. You'll be sure that the mails are encrypted end to end that way, even if the mail server is compromised, not just in the transit channel.

Bart Silverstrim
  • 31,172
  • 9
  • 67
  • 87