Secure TLS Email for Bank of America Partners

August 28th, 2013

Bank Of America LogoSeveral years back, we discussed Enforcing Email Security with TLS when Communicating with Banks. This is a critical stipulation for many banks that have strict requirements that all email messages be encrypted in transit via TLS when communicating with them.

Bank of America

Bank of America (BoA) is a case in point.  Their requirements are as follows:

  • Your email servers must always use TLS (Transport Layer Security) to encrypt all messages that will be delivered to any of Bank of America’s email servers (or any of its subsidiaries).  I.e. the use of TLS must be enforced. The list of email servers involved is quite long and is updated frequently.
  • Your email servers must support opportunistic TLS encryption for all inbound email messages.
  • You can not use any intermediate email filtering agent which does not permit enforcing of TLS when delivering email from its servers to your servers.

With these requirements, and the fact that Bank of America will configure its servers to enforce use of TLS when delivering to your servers, all email sent between your users and BoA will be encrypted, period.  If a misconfiguration were to happen, so that some server involved in the process were to not properly support TLS, then messages will not flow at all.  We have only run across a couple of cases where there is no delivery because of false TLS claims.  We then either allow that particular server or accept it as the customer sees fit.  This conservative approach is in line with Bank of America’s guidelines, and any security conscious entity who prefers non-delivery over insecure delivery.

Bank of America and LuxSci

For many years now, LuxSci and Bank of America have been partners for continued support of BoA’s policy mandated TLS.  LuxSci ensures for all BoA’s customers using any LuxSci servers and services that:

  • All of our servers communicate with Bank of America’s servers using forced TLS.
  • LuxSci updates its list of Bank of America servers automatically anytime BoA publishes changes on their TLS security notification list to which LuxSci is a subscriber.
  • LuxSci supports opportunistic TLS for all inbound email from any email server.
  • LuxSci requires that all Bank of America email servers communicate with its servers only using TLS.  This is not required by BoA’s security policy, but improves the security even further.
  • LuxSci will automatically use TLS for communicating with any email server on the Internet that says that it supports TLS (and will not deliver the message if this TLS connection fails for any reason).

What does this mean to a Bank of America Partner?

Bank of America Partners who are required to abide by BoA’s TLS policy can use LuxSci’s email services and not have to worry about server configurations, dealing with updates, etc.  Use of LuxSci, following the guidelines below, automatically ensures that you are compliant with Bank of America’s policy mandated TLS.

Requirements for a LuxSci Customer who is a BoA Partner:

  • Check the check box in your Advanced Account Administration area to “Force SSL” usage for all users of your account.  This ensures that all users will always use secure POP, IMAP, SMTP, and WebMail connections when communicating with LuxSci’s servers.  Note, this is the default setting for all new accounts.
  • If you use LuxSci’s Premium Spam and Virus Filtering service, run by LuxSci’s partner company, McAfee, you must ensure that your McAfee configuration is set up to used “Forced TLS” with your LuxSci servers.  This ensures that all email delivered from McAfee to LuxSci will be encrypted.
  • If secured communication is necessary, that is non-public or otherwise sensitive information will be sent via email, Customers must contact their Bank of America associate with whom they correspond to pursue a secured email communications arrangement with Bank of America.  Requests to establish TLS with Bank of America must be formally submitted by a Bank of America associate using an internal process.  Once the Bank receives the request from the Bank associate they would then review the request and determine whether such an arrangement is justified.  Baring review, the Bank will proceed with the request and perform formal testing with the Customer as part of their procedures which involves a few simple exchanges of email between the Customer’s LuxSci email account and the Bank so they may verify secured TLS communication is in compliance.

If you are a BoA partner in need of email that meets BoA’s security requirements or another financial institution interested in setting up a similar arrangement with LuxSci, please Contact Sales.