3
alice@a.com --> smtp.a.com --?-->  Internet --?--> pop.b.com --> bob@b.com

On the route from sender to server, and server to receiver, encrypted connections (STARTTLS, etc) seem to get more and more common. All major freemail providers and email programs offer encryption meanwhile.

But what about the connections between/among the various email service providers? Do they use encrypted connections between their mail / relay servers?

What's the trend there? Branch inside knowledge welcome!

I am not looking for setup instructions as i.e. in #142594, but really would like to know what's the current common practice among the Internet and the dominating (free)Mail / service providers.

Or in other words: If both sender and receiver use encrypted connections, how likely is it that an email still travels through unencrypted route sections?

porg
  • 143
  • 5

2 Answers2

4

I do this every day. When you work in healthcare you encrypt everything. We have clients that insist that we move email to them TLS only AND require that our mail filters in the DMZ must use TLS to talk inbound to our main server.

About 50% of our (legit) email comes and goes TLS now since more and more high-end servers have certs and the TLS stuff turned on.

I figure in another 2 years, we'll have turned on the TLS outbound require flag for hundreds of domains, it will be 100% in health, insurance, and finance by then.

Mark
  • 2,248
  • 12
  • 15
  • 1) Thanks for your report! Highly appreciated! 2) It's interesting to know that you can set a "require encrypted connection" flag on a outbound mail server. Questions: A) If the condition is not met, the email is not sent at all? B) Or bounces back to the sender with a note "Encrypted sending was not possible"? And: Does your outbound server send directly to the receiving server? Or are there relays in between? I guess you need a direct connection, else you would only have encryption certainty on the first route section, and uncertainty on the remaining path. – porg Jul 13 '11 at 10:26
  • In our case, we configure a "connector" in Exchange that requires TLS and has the highest priority for their domains. If the connector can't send, it queues up for a few days and the bounces back to the user with a "can't send" message. Hopefully the far end notices their certificate is bad or their mailserver is down in less than 4 days so that never happens. ;-) – Mark Jul 13 '11 at 13:54
  • I missed the second half of your question. If you want to force encryption, you have to do it at the final mail-gateway for your network. In my case, the final Edge Transport (relay) server does that. – Mark Jul 13 '11 at 17:14
3

It's done occasionally, but I wouldn't call it common by any stretch. I don't think that many SMTP server operators consider securing SMTP transfers to be particularly high priority, especially when there's no customer demand for it (I've seen the occasional RFP mention TLS for POP/IMAP, a very rare one mention it for SMTP submission, but never seen one for TLS on outbound relaying).

womble
  • 96,255
  • 29
  • 175
  • 230
  • Thanks for your dry analysis. So it's rather common in certain fields -- i.e. @Mark mentions health care, finance, etc -- but yet not widespread. – porg Jul 13 '11 at 10:29