July 28th, 2017

Do you expect email carriers to require TLS v1.2 or better in the future?

Our latest “Ask Erik” question involves the future of TLS delivery:.

Hello Erik,

I am aware of an e-mail server of a Carrier refuses any TLS connections that are not using TLS v1.2. Is it reasonable to expect more Carriers to follow this tact in the future?

Thank you.

This question involves the use of “TLS” to transparently encrypt email communications between email servers over the SMTP protocol.  For a little background, see: “All about secure email delivery over TLS“.

TLS v1.2 is the latest stable and finalized version of the SSL and TLS protocols.  (See SSL versus TLS: what’s the difference?)  TLS v1.2 fixes many security issues present, to varying degrees, with TLS v1.0 and TLS v1.1 and TLS v1.2 has now been around for a while now — since 2008.   For this reason, its use is highly recommended.  Indeed, it is a requirement of PCI (the Payment Card Industry) security requirements that all TLS communications be over TLS v1.2 or better, lest you be considered non-compliant.

National Institute of Standards recommendations from 2014 already require support for TLS v1.1 and 1.2 and recommend against support for anything below 1.1 for US government-only applications.  OWASP best practices recommend using TLS v1.0+.

It would be surprising to see an email service provider accepting only TLS v1.2+ traffic at this point, unless the traffic is US government only or the traffic involves credit cards or other highly sensitive data.  The problem is that while TLS v1.2 has been around for a very long time, many older mail servers and mail programs do not yet support it.  Indeed many barely support TLS v1.0.  By locking down an inbound email server to only support TLS v1.2+, the email service provider is effectively rejecting all email messages from all servers that do not have that capability — many servers.  Indeed, many servers do not even support TLS at all for email delivery yet!

So, the author of this question has probably encountered a mail server configured to allow only specific traffic.  I would not expect general email service providers to lock down their servers to only TLS v1.2+ for some time, probably several more years at least.  However, I would expect to see more and more individual servers locked down to this higher security standard as specific customers needs require it … and where cutting off email from less secure addresses is deemed acceptable.

In the mean time, for servers that will continue to use TLS v1.0+, security advantages can be obtained by being careful as to which encryption ciphers are supported.  E.g., no more “CBC” ciphers.  For more information, see: Which level of TLS is required by HIPAA?

Leave a Comment

You must be connected or logged in to post a comment. This is to reduce spam comments.

If you have not previously commented, you can connect using existing social media account, or register with a new username and password.