Transport Layer Security (TLS) Email Encryption

Transport Layer Security (TLS) in the Email Appliance

Transport Layer Security (TLS) enables the encrypted communication of messages between hosts that support TLS and can also allow one host to verify the identity of another. On the Email Appliance, TLS is set to Off by default. In this state, the Email Appliance will never attempt to encrypt email or verify the identity of a host to which it sends email.

Establishing a TLS connection

Once Email Encryption (TLS) is set to On, the Email Appliance will offer to encrypt incoming email by default. Other TLS-capable mail relays can then encrypt email sent to the Email Appliance. The appliance will also attempt to use TLS encryption for outbound email. To encrypt email, a TLS session must be established as follows:

1. A connection is established between the Email Appliance and the other mail relay.

2. The receiving host offers TLS encryption.

3. The sending host starts a TLS session.

4. The Email Appliance and the other relay attempt to exchange encryption ciphers.
Note
The host sending the mail is responsible for whether encryption is used. The receiving host can not require the sending host to encrypt email that it sends.

Encryption and Identity Verification

When email is encrypted, it cannot be read by anyone who does not have the appropriate key to decrypt it. However, encryption by itself does not allow you to verify the identity of the person or organization to whom you are sending the encrypted email. It is conceivable that the encrypted email could be redirected and read if the identity of the receiving mail relay has not been verified. To prevent this, the Email Appliance can be configured to use certificates to verify the identity of the TLS-capable host receiving that is receiving email.

Setting Policies for Specific Domains

The Email Appliance can be configured to use specific policies for email that is sent to and from particular domains, including requiring the verification of the identity of a mail relay. Available policies include:

Incoming Domains

  • Attempt Encryption: When this option is selected and TLS is set to On, the Email Appliance will attempt, but not require, the use of TLS encryption for all incoming email. When an email relay attempts to send mail to the Email Appliance:

    1. A TLS connection sequence and cipher exchange will be attempted (as shown above in Establishing a TLS connection).

    2a. If the sequence is successful, email sent by the mail relay to the Email Appliance will be encrypted.

    2b. If the TLS session or cipher exchange fails, the Email Appliance will still receive mail from the other mail relay, but the mail will not be encrypted.
  • Require Encryption: Selecting this policy ensures that the mail relay will send email from the specified domain only if the Email Appliance supports TLS encryption. The mail relay will also check if the Email Appliance has a valid certificate. If the certificate check fails, the mail relay will still send encrypted email.

    1. A TLS connection sequence and cipher exchange will be attempted (as shown above in Establishing a TLS connection).

    2a. If the sequence is successful, email sent by the mail relay to the Email Appliance will be encrypted.

    2b. If the sequence fails, the mail relay will not send mail to the Email Appliance.
  • Require Encryption and Validate Certificate: Selecting this policy ensures that the mail relay will only send email if the Email Appliance supports TLS encryption, and also has a valid certificate that has been signed by a trusted certificate authority. This ensures that the email is encrypted and that the identity of the Email Appliance can be confirmed.

    1. A TLS connection sequence and cipher exchange will be attempted (as shown above in Establishing a TLS connection).

    2. The mail relay will retrieve the Email Appliance mail certificate and authenticate it.

    3a. If the connection sequence is successful and the identity of the mail relay can be verified, email sent by the relay to the Email Appliance will be encrypted.

    3b. If the connection sequence fails, or if the identity verification fails, the mail relay will not send mail to the Email Appliance.

Outgoing Domains

  • Attempt Encryption: When this option is selected and TLS is set to On, the Email Appliance will attempt, but not require, the use of TLS encryption for all outgoing email. When the Email Appliance attempts to send mail to a mail relay:

    1. A TLS connection sequence and cipher exchange will be attempted (as shown above in Establishing a TLS connection).

    2a. If the sequence is successful, email sent by the Email Appliance to the other host will be encrypted.

    2b. If the TLS session or cipher exchange fails, or the other host does not support TLS, the Email Appliance will still send email to the other host, but the email will not be encrypted.
  • Prevent Encryption: No attempt is made to encrypt email, even if encryption is supported by the receiving host. This may be useful in cases where encryption is not necessary, and attempts to use TLS encryption are having a performance impact.

    1. The Email Appliance will connect to the other mail relay.

    2. Email sent by the Email Appliance to the other mail relay will not be encrypted.
  • Require Encryption: Selecting this policy ensures that the Email Appliance will send email to the specified domain only if the receiving host supports TLS encryption. The Email Appliance will also check if the host has a valid certificate. If the certificate check fails, the Email Appliance will still send encrypted email. However, it will not be possible to confirm the identity of the receiving host.

    1. A TLS connection sequence and cipher exchange will be attempted (as shown above in Establishing a TLS connection).

    2a. If the sequence is successful, email sent by the Email Appliance to the other mail relay will be encrypted.

    2b. If the sequence fails, the Email Appliance will not send email to the other mail relay.
  • Require Encryption and Validate Certificate: Selecting this policy ensures that the Email Appliance will only send email if the receiving host supports TLS encryption, and also has a valid certificate that has been signed by a trusted certificate authority. This ensures that the email has both been encrypted and that the identity of the receiving host has been confirmed.

    1. A TLS connection sequence and cipher exchange will be attempted (as shown above in Establishing a TLS connection).

    2. The Email Appliance will retrieve the mail relay’s certificate and authenticate it.

    3a. If the connection sequence is successful and the identity of the mail relay can be verified, email sent by the Email Appliance to the other mail relay will be encrypted.

    3b. If the connection sequence fails, or if the identity verification fails, the Email Appliance will not send email to the other mail relay.
Note
After the Email Appliance has passed encrypted email to another mail relay, there is no way to guarantee it will remain encrypted or confidential, even if the identity of the other relay has been verified. You may need to communicate with the organization that manages the other relay if this is a concern.