1

Exchange Online uses opportunistic TLS which works as follows:

By default, Exchange Online always uses opportunistic TLS. This means Exchange Online always tries to encrypt connections with the most secure version of TLS first, then works its way down the list of TLS ciphers until it finds one on which both parties can agree. Unless you have configured Exchange Online to ensure that messages to that recipient are only sent through secure connections, then by default the message will be sent unencrypted if the recipient organization doesn’t support TLS encryption.

As a non privileged user (e.g. someone without admin privileges), is there a way to determine if a particular partner organization is configured such that TLS encryption is forced? This is important in my current situation as our company must adhere to some governmental controls when sending certain data and would prefer forced TLS encryption over having to encrypt every attachment by some other means such as GPG:

Opportunistic TLS is sufficient for most businesses. However, for business that have compliance requirements such as medical, banking, or government organizations, you can configure Exchange Online to require, or force, TLS.

An admin account can quickly look at what mail flow connectors are configured to determine this setting, but is there a location or method that a non-privileged user has available to see if TLS encryption is forced or not?

John Eisbrener
  • 113
  • 5

1 Answers1

1

As this is a server side setting it isn´t possible to check the setting without admin access. There might be some "workarounds" for Exchange server as most of the configuration is stored in the ActiveDirectory and it might (depending on your setup) possible to check the ActiveDirectory via LDAP, however with Exchange Online this might not work.

A possible option for you might be to use nslookup, get the MX Server, then run an telnet against that server and check if they offer startTLS (see an example here). But this do not mean that they will also enforce that, but you can try that via this way.

By the way every user can check the MailHeader and therefore can see if the email was send via TLS or not. The TLS part in an email might look like:

Received: from p01c11m074.mxlogic.net (mxl144v247.mxlogic.net [2.2.2.2])
    by abc.contoso.com (4.4.4/8.8.8) with ESMTP id r123456789
    (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT)
    for <someone@contoso.com>; Mon, 19 Aug 2013 09:41:19 -0500

You see here the TLS section inside the email. However you do not see if that was enforced or not.

BastianW
  • 2,868
  • 4
  • 20
  • 34