SMTP TLS implementation helps to secure emails in transit. It could be a regulatory requirement or just an initiative to secure email infra. It’s implementation is simple but need to keep few things and My suggestion would be to test things before you implement
Must Have :
- Choice of Implementation : TLS implementation can be opportunistic or mandatory and make sure that you know, how to configure it your MTA. Initially go with opportunistic and then monitor the traffic and then make it mandatory.
- For Incoming TLS – Procure digital certificate for your mx endpoint.
- For Example : MX record of xyz.com points to abc.xyz.com and cde.xyz.com, then you cert must have these in SAN Name or procure a wild card certificate for *.xyz.com and install that on your MX Servers.
- For Outgoing TLS – you don’t need any certificate, you have to just make setting on your MTA and again go with opportunistic first and then go with mandatory.
More Points :
- No certification installation : is needed to enable Outgoing TLS but you might have to work with recipient domain email admin if you are going to force tls. Ideally, admins start with opportunistic tls because it would be very tough from operational perspective to work with each and every new recipient domain or loose the email delivery. if it is your regulatory requirement then you can’t do any anything but enable forced tls.
- TLS can work on self-signed certificate as well but it is recommend to have a certificate from public CA because if sending MTA is configured to verify certificate then self-signed cert will fail because cert’s authenticity can’t be validated.
- Opportunistic tls will first check for starttls smtp verb during smtp conversation with recipient domain, if it doesn’t find starttls smtp verb then it will send un-encrypted connection.
SMTP TLS in Action :
SMTP uses STARTTLS smtp verb for SMTP TLS, It must be published by MX Servers of a domain to show they are willing to accept SMTP TLS traffic :
In this example wordpress.com has published thier MX Record and if we make SMTP Connection to mail.automattic.com then it’s server responds with SMTP Verbs STARTTLS is part of it.
Here is the image of wordpress.com mx and smtp connection :
This website can help you to find if your domain has TLS working or not, just type email address of your domain and it will perform several tests and give you a result at the end :
Thank you for reading, I hope this would help in making decision for SMTP TLS Implementation.