Posts Tagged ‘smtp’
Opportunistic TLS for SMTP
Tuesday, December 15th, 2020If you want to make sure your emails are secure and private, opportunistic TLS for SMTP won’t quite cut it. To explain why, first we have to step back a bit.
Most people don’t put a lot of thought into how their emails are sent and received, so it’s not unusual for them to think it works akin to teleportation or magic–that messages somehow just appear right in their inboxes.
While the rapid delivery speeds may seem to justify such presumptions, there are actually a bunch of steps under the hood. When you send an email, it uses a protocol called the Simple Mail Transfer Protocol (SMTP) to make its way through to your recipient’s server. From there, your recipient uses another protocol such as ActiveSync, POP3, MAPI, or IMAP, or a Web-based interface, to pick it up and read it.
Unfortunately, these aren’t always secure by default. Under its original design, emails are sent as plaintext. This means that anyone along the email’s journey can see (and even change) their contents. This can include those in charge of the servers, the government, and even hackers that intercept the data.
Thankfully, engineers weren’t completely oblivious to this glaring security hole, and they have introduced a number of mechanisms that can be leveraged to protect email.
Read the rest of this post »
Email Templates for SMTP and API Secure Email Sending
Wednesday, March 18th, 2020Server-side email templates that can be utilized when sending email messages through LuxSci’s APIs and LuxSci’s SMTP services are now available. In particular, users can:
- Create and manage up to 100 templates per user through LuxSci’s web site or via API commands.
- Templates can not only define the subject and bodies of the messages that use them, they can also control how these messages will be encrypted (or not).
- Send messages using templates via API commands or SMTP — so message content can be retrieved from the server-side templates rather than sent with every message
- Use dynamic place holders so the template content can be customized on a per-message basis (i.e., like “mail merge”).
- Send unique per-message attachments that will be attached to the template-derived messages.
That’s it — templates made simple.
How Can You Tell if an Email Was Transmitted Using TLS Encryption?
Tuesday, October 29th, 2019Frequently, we are asked to verify if a sent or received email was encrypted using SMTP TLS during transmission. For example, banks, healthcare organizations under HIPAA, and other security-aware institutions require that emails be secured by TLS encryption.
Email should always be transmitted with this basic level of email encryption to ensure that the email message content cannot be eavesdropped upon. To see if a message was sent securely, looking at the raw headers of the email message in question is easy. However, it requires some knowledge and experience to understand the text. It is actually easier to tell if a recipient’s server supports TLS than to tell if a particular message was securely transmitted.
To analyze a message for transmission security, we will look at an example email message sent from Hotmail to LuxSci. We will see that Hotmail did not use TLS when sending this message. Hotmail is not a good provider to use when security or privacy are required.
Read the rest of this post »
Stronger Email Security with SMTP MTA STS: Strict Transport Security
Wednesday, July 25th, 2018Email transmission between servers has historically been extremely insecure. A new draft internet standard called “SMTP Strict Transport Security” or “SMTP MTA STS” is aiming to help all email providers upgrade to a much more secure system for server-to-server mail transmission. This article lays out where we are currently in terms of email transmission security and how SMTP MTA STS will help.
Email servers (a.k.a. Mail Transmission Agents or “MTAs”) talk to each other using the Simple Mail Transmission Protocol (SMTP). This protocol, developed in 1982, originally lacked any hint of security. As a result, a lot of the email shooting around the internet is still transmitted in plain text. It is easily eavesdropped on, easily modified, untrusted and not private.
Back in 2002, an extension to SMTP called “STARTTLS” was standardized. This extension permitted servers to “upgrade” SMTP communications from plain text to an encrypted TLS-secured channel, when both servers supported compatible levels of TLS. This process is known as SMTP TLS. In principle, this security addition was really great. The “TLS” used is the same encryption method used by your web browsers to talk to secure web sites (e.g., banks, Amazon, your email provider, etc.). Your web browsers do relatively good job making sure that connections to these secure sites are safe. I.e., they seek to ensure that there is encryption, that the encryption is sufficiently strong, and that there is no one actively eavesdropping on your connections.
Read the rest of this post »