The SEPPmail Secure E-Mail Gateway normally uses "opportunistic TLS". Thus, TLS is always used when the opposite email server and/or MTA (Mail Transfer Agent) offers it. Here, the maximum degree of encryption possible is applied. TLS represents a - usually additional - encryption of the transport route.
If TLS is to be used mandatorily, the SEPPmail Secure E-Mail Gateway offers the option of managing individual targets - email domains and/or email servers. Here, users can select from the stages typical for Postfix.
Level |
Description |
|---|---|
(none) |
No TLS encryption |
may |
(standard) opportunistic |
encrypt |
Emails are only sent if a transmission using TLS encryption is possible. |
verify |
Emails are only sent if a transmission via TLS encryption is possible and the SSL certificate of the receiving email server is valid. |
secure |
Emails are only sent if a transmission via TLS encryption is possible, the SSL certificate of the receiving email server is valid, the FQDN of the email server is identical to the name (CN) entered in the certificate (applicant) and the name of the email domain is the same as the domain name of the email server. |
fingerprint |
Emails are only sent if a transmission via TLS encryption is possible and the SSL certificate of the receiving email server corresponds to the entered fingerprint. |
However, the "targeted" use of TLS as a replacement for email encryption is not recommended. This is due to the following reasons:
•TLS can always be guaranteed only up to the next MTA. Whether and how encryption takes place after this MTA is, however, not apparent to the sender.
As more and more companies are using cloud services to filter spam emails, this type of encryption is usually insufficient.
•Only the stages of "Fingerprint" or "DANE" can be regarded as actually secure. All other security stages can be bypassed, e.g. by means of DNS spoofing.
•Managing TLS paths requires great administrative efforts
Since TLS is available on practically any MTA as "a lowest common denominator", this type of encryption is used relatively frequently, in particular in the point-to-point communication between companies.
This encryption technology is also part of the SEPPmail Secure E-Mail Gateway basic licence and does not have to be licensed by the user.
