{"id":11358,"date":"2019-08-06T16:14:01","date_gmt":"2019-08-06T20:14:01","guid":{"rendered":"https:\/\/www.thesslstore.com\/blog\/?p=11358"},"modified":"2020-08-26T13:59:25","modified_gmt":"2020-08-26T17:59:25","slug":"encryption-and-email-servers","status":"publish","type":"post","link":"https:\/\/www.thesslstore.com\/blog\/encryption-and-email-servers\/","title":{"rendered":"SSL\/TLS Encryption and Email Servers"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">What you need to know about using SSL\/TLS to encrypt connections made by\nyour email servers<\/h2>\n\n\n\n<p>When I was approached\nwith the topic for this blog post, I happily agreed. Here\u2019s some paraphrasing\nof how it went down:<\/p>\n\n\n\n<p>\u201cWould you be able to\nwrite a post about the importance of TLS in email servers?\u201d asked Patrick.<\/p>\n\n\n\n<p>\u201cSure,\u201d I said. <\/p>\n\n\n\n<p>Whew, that was a crazy\nconversation to relive! Like a whirlwind!<\/p>\n\n\n\n<p>Then I started thinking about it for a bit. Are there really email servers out there that are not using encryption for transit? I\u2019m not talking about end-to-end encryption like we have covered in the past (<a href=\"https:\/\/www.thesslstore.com\/blog\/what-you-need-to-know-about-s-mime\/\">S\/MIME<\/a>, <a href=\"https:\/\/www.thesslstore.com\/blog\/how-to-send-encrypted-email-on-3-major-email-platforms\/\">PGP<\/a>, etc). I am referring to server to server or everything in between encryption to protect the data along the traversing route. <\/p>\n\n\n\n<span style=\"--tl-form-height-m:150.25px;--tl-form-height-t:121.4583px;--tl-form-height-d:121.4583px;\" class=\"tl-placeholder-f-type-shortcode_12753 tl-preload-form\"><span><\/span><\/span>\n\n\n\n<p>Surely, in this day and age, no one would leave their incoming\/outgoing mail in plaintext traversing God knows which route to be intercepted and taken advantage of. Many people are using email services and there\u2019s no way that they would be excluding transit encryption from their service. Data breaches cost them millions in\nlawsuits and loss of business and shame\u2026\u2026Hmmmm\u2026..<span id=\"newline\"><\/span><\/p>\n\n\n\n<p>I went back to Patrick\nwith a question.<\/p>\n\n\n\n<p>\u201cDo we have statistics\nor information about email servers not using encryption? My guess is it would\nbe low. In other words, what prompted you to ask me about this article?\u201d <\/p>\n\n\n\n<p>Patrick replied, \u201cI\nactually don\u2019t. I thought it would be a good topic considering the importance\nof email and all of the aspects needed for security.\u201d<\/p>\n\n\n\n<p><span style=\"color:#3A8B2D\" class=\"color\">[Editor\u2019s Note: According to Google it\u2019s about 93%, though its methodology was opaque so we\u2019re not sure how accurate that is for the greater internet. Either way let\u2019s say about 90-95% which is good, email encryption is a requirement for pretty much every compliance framework including HIPAA, HITECH, PCI DSS, Sarbanes-Oxley, GLBA, SB1386, SEC 17a-4, NASD3010, FRCP, FINRA, etc.]<\/span><\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"485\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/08\/Inbound-encryption-1024x485.png\" alt=\"\" class=\"wp-image-11359\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/08\/Inbound-encryption-1024x485.png 1024w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/08\/Inbound-encryption-300x142.png 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/08\/Inbound-encryption-768x364.png 768w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/08\/Inbound-encryption.png 1219w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure><\/div>\n\n\n\n<p>OK. That makes sense. There probably are some email servers out there [about 7%, per Google] not using it at all, though undoubtedly a much larger percentage may be using <a href=\"https:\/\/www.thesslstore.com\/blog\/apple-microsoft-google-disable-tls-1-0-tls-1-1\/\">out of date protocols<\/a> or <a href=\"https:\/\/www.thesslstore.com\/blog\/what-happens-when-your-ssl-certificate-expires\/\">expired certs<\/a> and may just need a refresh. <\/p>\n\n\n\n<p>This article will go\nover where we are at with the email and transit encryption to make sure you are\noperating at an optimal safety level that is available. <\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Encryption in Email Servers<\/h2>\n\n\n\n<p>At this point, we probably have a general understanding of <a href=\"https:\/\/www.thesslstore.com\/blog\/explaining-ssl-handshake\/\">how TLS works<\/a> but let\u2019s summarize in case you are new to this. <\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"alignright\"><img loading=\"lazy\" decoding=\"async\" width=\"300\" height=\"300\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/02\/Secure-Email-300x300.png\" alt=\"HIPAA email security\" class=\"wp-image-10763\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/02\/Secure-Email-300x300.png 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/02\/Secure-Email.png 413w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/figure><\/div>\n\n\n\n<p>Person A wants to send\nsecure communication Human B. Person A and Human B have a pre-established\ncertificate. Person A uses the certificate to encrypt the information and sends\nthe encrypted information to Human B. The information is unreadable until Human\nB uses the certificate to decrypt the encrypted information. <\/p>\n\n\n\n<p>If Human B wants to\nrespond back to Person A with encrypted information, then Human B would use the\ncertificate to encrypt the data and Person A would use the certificate to\ndecrypt the message. <\/p>\n\n\n\n<p>This is generally how\nencrypting\/decrypting works. Now replace the people listed in this example with\nservers and other such connections. Same concept.<\/p>\n\n\n\n<p>Now if Human B wants to respond back to Person A with encrypted information, then Human B uses the symmetric key that was just generated and they can now both encrypt and send, and receive and decrypt data to one another. <\/p>\n\n\n\n<p>This is generally how encrypting\/decrypting with SSL\/TLS works. Now replace the people listed in this example with servers and other such connections. Same concept. This is how TLS works with email, which is a bit different than how it facilitates an <a href=\"https:\/\/www.thesslstore.com\/blog\/what-does-https-protect\/\">HTTPS connection<\/a> owing to the fact that email uses different protocols. But, there are still some distinct similarities:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>A handshake occurs<\/li><li>Authentication occurs (though both parties authenticate in this context)<\/li><li>Session keys are used to transmit the flow of emails.<\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Ebb and (Mail) Flow<\/h2>\n\n\n\n<p>The next step to this\n\u201cunderstanding why to\u201d article is the \u201cunderstanding how\u201d part. <\/p>\n\n\n\n<p>In short, an email client sends an email to the outbound server. The outbound server will do a <a href=\"https:\/\/www.thesslstore.com\/blog\/how-to-set-up-a-dns-server\/\">DNS look up<\/a>, based off of the destination email domain, and that DNS\u2019s MX record will determine which server to send the email to and, possibly, that server will determine if needs to be forwarded on until it hits the destination inbox\u2019s Mail Delivery Agent (MDA). <\/p>\n\n\n\n<p>It\u2019s not enough to\ntrust DNS MX records, which is a whole other trust issue altogether, but the SMTP\n(mail going out, MTA, etc) server and the mail coming in ( via POP3, IMAP,\nExchange) need to be able to identify each other and have the correct keys to\ncommunicate with each other. And, depending on the route, there may be more\nthan just one-ish hop email server communications. Mail Exchangers, proxy\nservers and else could be in place along the route. Each hop (should) call for\nan encrypted link. Often times, it does. Sometimes, it does not. Users would\nprefer sensitive information is encrypted along the way. End-to-End encryption\nhelps assure that there is some sort of encryption the whole way through but\nlayers of security are always, uh, better. <\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Respect Thy Securi-Tie&nbsp; <\/h2>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"alignright\"><img loading=\"lazy\" decoding=\"async\" width=\"300\" height=\"283\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/02\/Security-Policy-300x283.png\" alt=\"\" class=\"wp-image-10773\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/02\/Security-Policy-300x283.png 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/02\/Security-Policy.png 572w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/figure><\/div>\n\n\n\n<p>For the record,\nSecuri-Tie is not a real word. I only made up that word because it rhymed. It\u2019s\na play off the word security.&nbsp; <\/p>\n\n\n\n<p>To sort of springboard\noff the previous section, we should talk about security options that, while\nthey would be set from the client side, would actually provide some instruction\nto the mail server side for security-related purposes. <\/p>\n\n\n\n<p>When configuring an\nemail client (Outlook, Thunderbird, etc), the default is for an unencrypted\nconfiguration. But, as is the point of this article, we typically want to go\nfor the encrypted option. In a sense, it is not entirely up to the client: it\ndepends on what the server side is able to support. Assuming that your inbound\nand outbound servers can support encryption, why wouldn\u2019t you? If you order a\nsteak at a restaurant and they offer you choice sirloin or Kobe(wagyu) ribeye\nat the same price, why wouldn\u2019t you order the better-quality cut? <\/p>\n\n\n\n<p>So, if you want to use\nTLS\/SSL on your email (this is for the transit part and not the end-to-end,\nS\/MIME part which is discussed in other blog posts), turn it on. Use ports 465\nor 587 for SMTP (\u2018member, outbound mail) and 993 (IMAP) or 995 (POP3) for\ninbound traffic. <\/p>\n\n\n\n<p>There is an\ninteresting encryption protocol that is still used amongst email servers. It\nhas its good with bad as is such with most things. Ultimately, I would say that\nits intentions are good but the real-world application is not quite ideal as it\ncould. Ladies and gentlemen, that protocol is STARTTLS. <\/p>\n\n\n\n<p>STARTTLS is a security\nprotocol that basically is SSL\/TLS. Quite simply, STARTTLS will take an\nexisting plaintext and, therefore, unsecure connection, and attempt to convert\nit into a secure connection using TLS (or SSL). So, the security level of\nSTARTTLS vs SSL\/TLS is actually not different. If everything is set right, they\nwill both encrypt information using TLS (or SSL). <\/p>\n\n\n\n<p>The main difference is\nbased on the state of a connection and\/or the initiation of communication. STARTTLS\ndoes not guarantee encrypted communication. It basically means, \u2018if the\nconnection is unencrypted and you are able to, make this into a secure\nconnection.\u2019 If the connection node (likely a server) is unable to turn the\nconnection into an encrypted connection, it may be up to the client end to\ndecide how to handle it from there. <\/p>\n\n\n\n<p>While I used the\nqualifying term of STARTTLS as \u201cuseful\u201d, it could be considered less secure\nthan selecting SSL\/TLS. Standard SSL\/TLS selection is basically, \u201cUse\nencryption or bust.\u201d STARTTLS is saying, \u201cUm, if you could, please do so. If\nnot, we may proceed based off other instructions.\u201d <\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Here\u2019s Some Conclusive Statements<\/h2>\n\n\n\n<p>Often times, the obvious needs to be stated and maybe\noverstated. So here it is, ahem: Use encryption. Especially for something that\nis so important, so crucial and integrated into seemingly the vast majority of\nany organizational structure that can carry make or break information. There is\nnot much effort that needs to be put into it. Use both end-to-end and in-transit\nencryption. Two is better than one.<\/p>\n\n\n\n<p>If someone feels that the extra effort to setup an email\nserver to be encrypted versus unencrypted is not worth it, then that someone is\nnot worth it. This is simply overstating the obvious. &nbsp;End-to-end encryption, such as S\/MIME, takes a\nmore involved approach but it also is worth it when adding layers and layers of\nsecurity. But, there is no excuse to not take the time to setup and maintain\nsecure links. <\/p>\n\n\n\n<p>When visibility permits, any email path that might not seem secure or compromised should be held under scrutiny. And with that, be happy in your scrutinizing for a safer internet. Cheers!<\/p>\n\n\n","protected":false},"excerpt":{"rendered":"<p>What you need to know about using SSL\/TLS to encrypt connections made by your email servers When I was approached with the topic for this blog post, I happily agreed&#8230;.<\/p>\n","protected":false},"author":11,"featured_media":11360,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":"","tve_updated_post":"","tve_custom_css":"","tve_user_custom_css":"","tve_globals":{},"tcb2_ready":0,"tcb_editor_enabled":0,"tve_landing_page":"","_tve_header":"","_tve_footer":""},"categories":[130],"tags":[7970],"class_list":["post-11358","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-everything-encryption","tag-email-security","post-with-tags"],"views":24540,"jetpack_featured_media_url":"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/08\/TLS-Email-feature.png","_links":{"self":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/11358","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/comments?post=11358"}],"version-history":[{"count":0,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/11358\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media\/11360"}],"wp:attachment":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media?parent=11358"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/categories?post=11358"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/tags?post=11358"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}