" smtp tls Archives - LuxSci FYI Blog: Learn about HIPAA email encryption, secure email encryption, and more
LUXSCI

Posts Tagged ‘smtp tls’

A Brief Guide to HIPAA-Compliant SMTP Relaying

Friday, August 10th, 2018

Simple Mail Transfer Protocol (SMTP) is a way in which email travels across the internet. An SMTP relay is a mail server that passes on your email message to another server that can transfer your message to the intended recipient. Email providers like Gmail own and manage SMTP servers; some allow you to connect to their servers directly while others require you to send email via their webmail applications. In the latter case, providers are also safeguarding against the risk of companies sending several emails in a short period of time and engaging in spamming.

Providers that allow direct access to their SMTP servers may or may not support SMTP relaying. ‘Support’ means that you can connect to their SMTP server to send outbound email to recipients whose email is not managed by the provider (e.g., they handle email for luxsci.net addresses but not yahoo.com).

HIPAA Compliant SMTP Relaying Guide

SMTP authentication versus Secure SMTP

To avoid the risk of hackers spamming users, many email providers require authentication (e.g., via a username and password) to use their SMTP servers. Some providers may go beyond SMTP authentication and offer Secure SMTP, encrypting the communication between your computer and their server using SSL/TLS protocols. This way, the contents of your email message cannot be read along the transmission channel to the SMTP relay server.

Read the rest of this post »

SMTP TLS: All About Secure Email Delivery over TLS

Monday, October 2nd, 2017

TLS stands for “Transport Layer Security” and is the successor of “SSL” (Secure Socket Layer). TLS is one of the standard ways that computers on the Internet transmit information over an encrypted channel. In general, when one computer connects to another computer and uses TLS, the following happens:

  1. Computer A connects to Computer B (no security)
  2. Computer B says “Hello” (no security)
  3. Computer A says “Lets talk securely over TLS” (no security)
  4. Computer A and B agree on how to do this (secure)
  5. The rest of the conversation is encrypted (secure)

In particular:

  • The meat of the conversation is encrypted
  • Computer A can verify the identity of Computer B (by examining its SSL certificate, which is required for this dialog)
  • The conversation cannot be eavesdropped upon (without Computer A knowing)
  • The conversation cannot be modified by a third party
  • Other information cannot be injected into the conversation by third parties.

Basic email security starts with SMTP TLS

TLS (and SSL) is used for many different reasons on the Internet and helps make the Internet a more secure place, when used. One of the popular uses of TLS is with SMTP for transmitting email messages between servers in a secure manner.  See also:

Read the rest of this post »

Stopping Forged Email 4: Your Last Resorts

Wednesday, March 4th, 2015

In previous posts we have examined how hackers and spammers can send forged email and how it can be extremely difficult to differentiate these messages from legitimate messages.  We have looked at the various common techniques for anti-fraud such as SPFDKIM, and DMARC and seen that, while these technologies can help a lot, they all have limitations; they all require strict and proper setup by the owner of the purported sender’s domain, and they must be well supported by your own spam filtering system.

Yet even with these technologies, it’s not hard in many cases for a determined attacker to send you a forged, fraudulent email message that still looks and feels legitimate.

What else can you do to validate email messages and protect yourself from phishing or social engineering attacks?

Read the rest of this post »

SMTP TLS vs Secure Message Pick Up: Which is Better for HIPAA?

Wednesday, November 12th, 2014

There are many methods for sending an email message securely.  These generally vary in terms of the degree of security vs how easy they are to set up and use.  The two most common email encryption methods include:

  • SMTP TLS: Encrypting the message only while it is transmitted between the sender’s and the recipient’s servers.  See: SMTP TLS: All about secure email delivery over TLS.  Note that SMTP TLS is only supported by some email service providers.
  • Secure Message Pickup:  Sending the recipient an email notice with a link.  The recipient clicks on the link and goes to a secure web site to authenticate and access the message. (LuxSci call’s this method “Escrow”).  Secure Message Pickup allows one to send a secure message to anyone.

Other methods, such as PGP and S/MIME, are also in wide use.  However, these require a lot more setup and collaboration between the sender and recipient.  The above two methods are most commonly used for sending messages to people that you have not otherwise communicated with.

So, which is better?  How does that answer change when HIPAA compliance is involved?

Read the rest of this post »

Who does not support SMTP TLS for Secure Inbound Email Delivery?

Thursday, November 7th, 2013

Note: lists below have been updated as of 9/11/2015.

We are frequently asked how common is the support of SMTP TLS  for securing inbound email delivery to recipients across the Internet.  This is especially important for customers who need to be HIPAA compliant, as email transport encryption over TLS is sufficient for HIPAA compliant communications to end users, so long as the TLS is configured to be sufficiently strong.

While it is possible to tell who supports TLS, its is somewhat technical to do yourself.  So, we have assembled a table with many of the popular free / public email domains in use across the Internet and indicate which currently (as of January 14th, 2015) support SMTP TLS for inbound email.

The results are surprising.  A majority of domains these days do support TLS, and with Microsoft’s recent TLS implementation on its email domains (hotmail.com/live.com/outlook.com), this rounds out consistent TLS support (for inbound delivery–outbound may or may not be supported)  for all of the most popular free email providers (e.g. aol.com, gmail.com yahoo.com, hotmail.com).

Read the rest of this post »

LUXSCI