LuxSciLuxSci
be Smart.
be Secure.
Phone: 800-441-6612
sales@luxsci.com
support@luxsci.com

SMTP TLS: All About Secure Email Delivery over TLS

TLS stands for “Transport Layer Security” and is the successor of “SSL” (Secure Socket Layer). TLS is one of the standard ways that computers on the Internet transmit information over an encrypted channel. In general, when one computer connects to another computer and uses TLS, the following happens:

  1. Computer A connects to Computer B (no security)
  2. Computer B says “Hello” (no security)
  3. Computer A says “Lets talk securely over TLS” (no security)
  4. Computer A and B agree on how to do this (secure)
  5. The rest of the conversation is encrypted (secure)

In particular:

  • The meat of the conversation is encrypted
  • Computer A can verify the identity of Computer B (by examining its SSL certificate, which is required for this dialog)
  • The conversation cannot be eavesdropped upon (without Computer A knowing)
  • The conversation cannot be modified by a third party
  • Other information cannot be injected into the conversation by third parties.

TLS (and SSL) is used for many different reasons on the Internet and helps make the Internet a more secure place, when used. One of the popular uses of TLS is with SMTP for transmitting email messages between servers in a secure manner.  See also:

TLS with SMTP

The mechanism and language (i.e. protocol) by which one email server transmits email message(s) to another email server is called SMTP (Simple Mail Transport Protocol). For a long time now, email servers have had the option of using TLS to transparently encrypt the message transmission from one server to the other.

Use of TLS with SMTP, when available, ensures that the message contents are secured during transmission between the servers.

Not all servers support TLS!

Use of TLS requires that the server administrators:

  1. purchase of one or more SSL certificates
  2. configure the email servers to use them (and keep these configurations updated)
  3. allocate additional computational resources on the email servers involved.

For these reasons, many email providers, especially free or public ones, have in the past not supported TLS at all.  Over the last few years, however, the trend has been to add TLS everywhere. Now, the majority of providers do support TLS.

For TLS transmission to be used, the destination email server must “advertise” support for TLS (see: How to Tell Who Supports TLS for Email Transmission) and the sending computer or server must be configured to use TLS connections when possible.

The sending computer or server could be configured for:

  1. No TLS — never use it.
  2. Opportunistic TLS — use it if it is available, if not, send insecurely.
  3. Forced TLS — use TLS or do not deliver the email at all

How Secure is SMTP TLS?

TLS protects the transmission of the content of email messages. It does nothing for protecting the security of the message before it is sent or after it arrives at its destination.  For that, other encryption mechanisms may be used, such as PGP, S/MIME, or storage in a secure portal.

However, transmission security is all that is required of many organizations (i.e. banks and HIPAA/health care) when sending to customers. In such situations, enforced use of TLS is a good alternative to stronger and less user friendly encryption methods (like PGP and S/MIME) and can prevent the insecure delivery of email.

The transmission itself is as secure as can be negotiated between the sending and receiving servers. If they both support strong encryption (i.e. AES 256) then that will be used. If not, a weaker grade of encryption may be used. The sending and receiving servers can choose what kinds of encryption they will support — and if there is no overlap in what they support, then TLS will fail (this is rare).

What about Replies to Secure Messages?

Lets say that you send a message to someone and that is delivered to his/her Inbox over TLS.  That person then replies back to you.  Will that reply be secure?  This may be important if you are communicating sensitive information.  The reply will use TLS for security if:

  1. The recipient’s servers do support TLS for outbound email (there is no way to test this externally)
  2. Your mail servers (where your “From” or “Reply” email address is hosted) support TLS for inbound email
  3. Both servers support overlapping TLS ciphers and protocols so they can agree on a mutually acceptable means of encryption

In general unless you are familiar with the providers in question, you cannot assume that such replies will use TLS.  There are two ways of looking at this problem:

  1. Conservatively.  If you must proactively ensure that replies are secure in all cases, then assuming TLS will be used is probably not a good assumption.  In this case, you should a service (like SecureLine Escrow) whereby your messages are encrypted and stored in a secure portal where the recipient must go to view the message and reply securely. Or, you and your recipients can go the extra mile and setup PGP or S/MIME for use.
  2. Aggressively.  In some compliance situations like HIPAA, it can be argued that it is up to the sender to send messages securely if needed.  E.g. while doctors need to be sure that ePHI is sent securely to patients; patients themselves are not beholden to HIPAA and can send their information insecurely to anyone they want.  So, if the patient’s reply is insecure — “that could be Ok”.  If the recipeint is another organization that falls under the HIPAA umbrella, then it is up to them to ensure that everything they send (e.g. their replies) is secure.  For these reasons, and because use of TLS for email security is so “easy”, many just do not worry about the security of the email replies.

    However, this should be a “Rick Factor” that you consider in any internal security audit.  Is the risk of insecure replies worth the possible data exposure in your organizations practices.

What about TLS at LuxSci?

Inbound TLS

LuxSci inbound email servers support TLS for encrypted inbound email delivery from any sending email provider that also supports that.

For selected organizations, e.g. Bank of America, LuxSci also locks down its servers so that it only accepts email from them if its is delivered over TLS.

Outbound Opportunistic TLS.

LuxSci outbound email servers will always use TLS with any server that claims to support it and with whom we can talk TLS v1.0+ using a strong cipher.  If the TLS connection to such a server server fails (due to misconfiguration or no security protocols in common), the message will not be sent.

Outbound opportunistic TLS encryption is automatic for all LuxSci customers, even those without SecureLine.

Support strong encryption, up to AES 256 and better

LuxSci servers will use the strongest encryption supported by the recipient’s email server that is also considered strong. LuxSci servers will never employ an encryption cipher that uses less than 128 bits (they will failed to deliver rather than deliver via an excessively weak encryption cipher) and they will never use SSL v2 or SSL v3.

Forced TLS

LuxSci servers use “Forced TLS” with recipient servers that support TLS if email is being sent to those servers from any SecureLine account using TLS-Only delivery services (outbound email or forwarding). This ensures that messages will never be delivered to such servers, even in the case that they stop supporting TLS suddenly.

Forced TLS is also in place for all LuxSci customers sending to certain Banks and organizations that have requested that we globally enforce TLS to their servers.

Does LuxSci have any other Special TLS Features?

When using SecureLine for outbound email encryption:

  1. Try TLS: Account administrators can choose to have secure messages “try TLS first” and deliver that way.  Only if TLS is not available would the messages fall back and use more secure options like PGP, S/MIME, or Escrow.  This makes email security easy, seamless, and automatic when communicating internally or with others who support TLS.
  2. TLS Only Forwarding: Account administrators can restrict any server side email forwarding settings in their accounts from allowing forwarding to any email addresses which do not support TLS for email delivery.
  3. When TLS delivery is enabled for SecureLine accounts, messages will never be insecurely sent to domains that purport to be TLS-enabled. I.e. TLS delivery is enforced and no longer “opportunistic”.  The system monitors these domains and updates their TLS-compliance status daily.
  4. Double Encryption: Messages sent using SecureLine and PGP or S/MIME will still use Opportunistic TLS whenever possible for message delivery.  In these cases, messages are often “double encrypted”.  Encrypted first with PGP or S/MIME, and then that secure message may be encrypted again during transport using TLS.
  5. No Weak TLS.  Unlike many organizations, LuxSci’s TLS support for SMTP and other servers only supports those protocol levels (e.g. TLS v1.0+) and ciphers that are recommended by NIST for government communications and which are required for HIPAA.  So, all communications with LuxSci servers will be over a compliant implementation of TLS.

For customers whose security or compliance needs allow TLS to be a sufficient form of email encryption, it enables seamless security and “use of email as usual” security.  SecureLine with Forced TLS enables clients to take advantage of this level of security whenever possible, while automatically falling back to other methods when TLS is not available.

Of course, use of Forced TLS as the sole method of encryption is optional; if your compliance needs are stronger, you can disable TLS-Only delivery or restrict it so tat it is used only with specific recipients.

13 Responses to “SMTP TLS: All About Secure Email Delivery over TLS”

  1. Control Email Forwarding with TLS-Only Forwards | LuxSci FYI Says:

    […] restricting email forwarding to only recipients whose email servers support SMTP TLS for message transport encryption, […]

  2. SMTP TLS Enforced Outbound Encryption with Fall Back to PGP, S/MIME, or Escrow Message Pickup | LuxSci FYI Says:

    […] » The LuxSci FYI Blog « Control Email Forwarding with TLS-Only Restriction SMTP TLS: All About Secure Email Delivery over TLS […]

  3. HIPAA HITECH Business Associate Agreement and LuxSci Account Requirements | LuxSci FYI Says:

    […] email capturing, etc.) can only be forwarded only to recipients whose email servers support TLS for SMTP transport encryption. This ensures that all messages forwarded off-site will be encrypted during […]

  4. Secure TLS Email for Bank of America Partners | LuxSci FYI Says:

    […] for many banks that have strict requirements that all email messages be encrypted in transit via TLS when communicating with […]

  5. How Does Secure Socket Layer (SSL or TLS) Work? | LuxSci FYI Says:

    […] SMTP TLS: All About Secure Email Delivery over TLS […]

  6. Case for Email Security - Why Use Encryption? | LuxSci FYI Says:

    […] SMTP does not encrypt messages (unless the servers in question support opportunistic TLS encryption).  Communications between SMTP servers may send your messages in plain text for any eavesdropper […]

  7. Understanding Email Services: What are they and what do you need? | LuxSci FYI Says:

    […] services described below) encrypts the communication between your computer and the server using TLS or SSL such that no one can eavesdrop and detect your username, password, or message contents – the […]

  8. How Can You Tell if an Email Was Transmitted Using TLS Encryption? | LuxSci FYI Says:

    […] we are asked to verify if an email that someone sent or received was encrypted using SMTP TLS while being transmitted over the Internet.  For example, banks, health care organizations under […]

  9. How to Tell Who Supports TLS for Email Transmission | LuxSci FYI Says:

    […] TLS (Transport Layer Security) is the mechanism by which two email servers, when communicating, can automatically negotiate an […]

  10. Enforcing Email Security with TLS when Communicating with Banks | LuxSci FYI Says:

    […] this context, SMTP TLS (which stands for “Transport Layer Security“) is a way that email servers, when talking […]

  11. Is Blackberry HIPAA Compliant? What You Need To Know | LuxSci FYI Says:

    […] the email messages may send them insecurely over the Internet — there is no way to ensure transport email encryption for messages sent from a Blackberry device.  Therefore, ePHI-laden email messages should never be […]

  12. SecureLine Users Can Toggle Between TLS and Escrow Encryption When Sending Messages | LuxSci FYI Says:

    […] SecureLine end-to-end email security system enables allows customers to enable use of TLS for email delivery, without any further encryption, when TLS is supported by the recipient email servers and the […]

  13. Additional Domain-Level Security Settings Now Available | LuxSci FYI Says:

    […] of TLS-Only email sending options.  I.e. should TLS be considered a valid method of secure email delivery for […]

Leave a Comment

You must be logged in to post a comment.

• Access Anywhere
• Fast and Robust
• Super Secure
• Tons of Features
• Customizable
• Mobile Friendly

Send and receive email from your favorite programs, including:

 Microsoft Outlook
 Mozilla Thunderbird
 Apple Mail
 Windows Mail

... Virtually any program that supports POP, IMAP, or SMTP

Keep your email, contacts, and calendars in sync:

 Apple iPhone and iPad
 Android Devices
 BlackBerry
 Windows Phone

... Any device with Exchange ActiveSync (EAS) support

Relay your server's mail through LuxSci via smarthost:

• Resolve issues with ISP sending limits and restrictions
• Improve deliverability with better IP reputation and IP masking
• Take advantage of Email Archival and HIPAA Compliance
• Even setup smarthosting from Google Apps!

Free web site hosting with any email account:

• Start with up to 10 web sites and MySQL databases
• DNS services for one domain included
• Tons of features and fully HIPAA capable

LuxSci's focus on security and privacy:

• Read The Case for Email Security
• Read Mitigating Security & Privacy Threats
• Review our Privacy Policy

The most accurate, flexible, and trusted filters in the business:

• Premium protection with Intel Security Saas
• Realtime virus database guards against the latest threats
• Seven-day quarantine lets you put eyes on every filtered email
• Supplement with our Basic Spam Filter for even more features

End-to-end secure email encryption — to anyone, from anyone:

• No setup required — encryption is automatic and easy to use
• Secure outbound email with TLS, PGP, S/MIME, or Escrow
• Free inbound encryption via our SecureSend portal
• Independent of your recipient's level of email security
• Widely compatible and fully HIPAA Compliant

Add an extra layer of security with an SSL Certificate:

• Secure your web site
• Debrand LuxSci WebMail with your own secure domain
• Access secure email services via your own secure domain

Encrypt your service traffic via secure tunnel:

• Add another layer of security to your SSL connections
• WebMail, POP, IMAP, SMTP, web/database access
• SecureForm posts, SecureLine Escrow, SecureSend access
• Restrict your account to VPN access only

Secure long-term message archival:

• Immutable, tamperproof email retention with audit trails
• No system requirements — minimal setup, even less upkeep
• Realtime archival of all inbound and outbound messages
• Works anywhere — even with non-LuxSci email hosting

Free data backups included with all email hosting accounts:

• Automatic backups of all email, WebAides, web/database data
• Seven daily backups and up to four weekly backups
• Unlimited restores included at no additional cost
• Custom backup schedules for dedicated servers

Automate your email management:

• Save messages to specific folders or to LuxSci WebAides
• Advanced text scanning with regular expressions
• Tag messages, alter subject lines, or add custom headers
• Filter by message charset, type, TLS status, DKIM status
• Chain filters together for even more complex actions

• Bulk add and edit users, aliases and more
• Control sharing and access globally or on a granular level
• Delegate user roles through permissions
• Configure account-wide taglines, sending restrictions, and more
• Remotely administer account via SOAP API

Share, collaborate, organize, synchronize:

• Calendars, Contacts, Documents, Notes, Widgets, Workspaces
• Fine-grained access control and security
• Access anywhere via secure web portal or smartphone
• Save over solutions like Microsoft Exchange

Free folder sharing for all email hosting accounts:

• Share mail folders with other users in your account
• Subscribe to only the folders you want to see
• Set read-only or read-write access control
• View all personal and shared folders via unified web interface

Color code and label your email messages:

• Define and assign multiple IMAP keywords to each message
• Filter, search, and sort by tags
• Compatible and synchronizes with any IMAP email client
• Also usable with WebAide entries