We have relationships with some banks that are trying to implement some secure email. Is there any method that would force the server to send emails via TLS when sending email to a specific domain? This is a cpanel/WHM server.
We basically need to require that an email be secure from
user -> mail server
and from
mail server -> bank's server.
I'm not entirely familiar with what happens after the email leaves my email program. If I send a message over TLS or SSL outgoing connection, does the email leave the mail server also over a secure connection? I have no problem implementing TLS from the client to the mail server. It's after it gets to the mail server that I am unclear on.
Any help on this would be appreciated.
Best Answer
Others can talk about the cpanel-specific issues, but I can talk to SMTP TLS.
A TLS connection is negotiated between two mailers as part of the ESMTP negotiation process. Most mailers can be configured to prefer TLS connections over plain ones (or not, encryption does cost CPU cycles), and the major Linux mailers also have the ability to set per-domain mail policies that include TLS settings. So you can specify wellsfargo.com gets TLS, but gmail.com doesn't for instance. Mailers are pretty good these days about stamping
Received-By:headers with(TLS)if it received the mail over a TLS connection.This will encrypt the mail in transit between actual mailers. Encrypting it between the sender and the mailer will require the sender to use an encrypted method to send, either TLS or SSL. Requiring login to send mail and only allowing logins over encrypted methods will accomplish this.
If you require the mail to be encrypted while in mail queues, then you'll have to encrypt the mails themselves with either S/MIME or PGP/GPG.