June 7th, 2012

Enforcing and Detecting TLS Email Encryption on Inbound Messages

SMTP TLS allows email messages to be transmitted from the sender’s email server to the recipient’s over a secure channel that prevents eavesdropping.  TLS is an extremely useful and popular technology as it is seamless —  the sender and recipient do not have to do anything special — and provides a level of server-to-server security important for compliance, HIPAA, and privacy in general.

Use of SMTP TLS requires that both the sender’s and the recipient’s email servers support it.  For example, LuxSci’s servers support TLS and will “talk TLS” to any recipient server that also does.  

LuxSci’s severs will happily accept inbound email over TLS; however, because a majority of email service providers still do not support TLS, LuxSci will also accept inbound email that arrives insecurely–no TLS. ( There are certain exceptions to this, such as email from banking partners like Bank of America, where we will reject any email from them that is not using TLS.)

Many of our security conscious customers also want to ensure that people only send messages to them over secure channels.  Our SecureLine SecureSend portal is one way to do that — anyone can login and send free email messages to our SecureLine-enabled users.  However, there is no way to stop someone from just “emailing you” anyway, even if the email ends up being insecure.

LuxSci now flags all inbound email messages that arrive over a TLS-secured channel with a special email header (e.g. the header “X-Lux-Inbound-TLS: 1” is added to all such messages).  We have also added special rules to our “Custom Email Filters” feature that allow users to easily create filters that match or exclude TLS-secured messages and to perform actions based on that criteria, such as:

  • Bounce the message with a simple error
  • Send an auto-response to the sender explaining that their message arrived insecurely and was discarded.
  • Flag the message or save it to a special folder,
  • etc.

Customers can use this new TLS identification feature to inform senders of the insecure nature of their messages, advertise how to send messages to them securely, organize messages based on security, etc.

How would you go about notifying senders of their non-use of TLS?

Here is a recipe for creating a nice looking robust notification to your senders when they send you messages that do not arrive over TLS.  Note that even if a message arrives without TLS, it could still be secure if it uses other encryption mechanisms (like PGP or S/MIME).

  1. Create an email AutoResponder (under email > My Email Tools > Inbound Email > Email AutoResponders)
    1. Specify the subject of the response
    2. Specify your “Signature” to use (e.g. who the response will be from)
    3. Enter your detailed message to the sender in either plain text or visual HTML markup
    4. Leave it “Inactive”
    5. Indicate that it should respond to “Messages matching selected custom email filters.”
  2. Create a Custom Email Filter (under email > My Email Tools > Inbound Email > Custom Email Filters)
    1. Give it a title and enable it
    2. Have it “Match” “Message received over a TLS-secured channel”
    3. Set the “Action” to “Send AutoResponse” and choose the AutoResponder that you created
    4. Save it.
  3. Optionally create another Filter to delete these messages after the AutoResponse is sent:
    1. Give it a title and enable it
    2. Have it “Match” “Message received over a TLS-secured channel”
    3. Set the “Action” to “Delete message”
    4. Save it.

Leave a Comment

You must be connected or logged in to post a comment. This is to reduce spam comments.

If you have not previously commented, you can connect using existing social media account, or register with a new username and password.