This page describes how TLS is used and how various levels of TLS can be enforced in the seppmail.cloud.

 

Terms used on this page:

  • TLS: Transport Layer Security
  • DANE: DNS-based Authentication of Named Entities - a mechanism to secure TLS certificates using DNSSec secured TLSA records.
  • DNSSEC: A mechanism to authenticate DNS data.
  • TLSA Record: Type of DNS record used to publish certificate fingerprints for verification.
  • MTA-STS: MTA Strict Transport Security - a mechanism to encourage use of TLS using a policy file published on a web server.

 

Sections on this page:

 

anchor link Inline Inbound: Delivery to seppmail.cloud

  • All our systems support opportunistic TLS by default.
  • If a customer domain (recipient domain) has DNSSec enabled, then DANE is automatically provided.
  • A customer domain can alternatively define MTA-STS to encourage delivery via TLS.
  • If a customer domain supports neither DANE nor MTA-STS but mandatory TLS is required for all their incoming mail, a support request must be submitted. As a better option we highly encourage to provide DANE or MTA-STS on customer side.
  • If a sender domain must only deliver via enforce TLS, a support request must be submitted. Please note that such a change will affect all seppmail.cloud customers. As a better option we highly encourage the customer domain to provide DANE or MTA-STS and the sender evaluate it, or enforce TLS on the sender side.

anchor link Parallel Inbound: Delivery from customer server to seppmail.cloud

  • All our systems enforce TLS. This is a global setting and no exceptions can be defined.
  • All seppmail.cloud hostnames have a TLSA record, allowing additional DANE verification if the sending server supports it.

anchor link Delivery from seppmail.cloud to customer server (inline inbound and parallel inbound/outbound)

  • If customer uses M365 mail hosting, then TLS is always enforced via certificate based connector setup.
  • If a customer server supports DANE, then TLS is enforced via DANE.
  • If a customer server does not support DANE, then opportunistic TLS is used.
  • If a customer server does not support DANE, but mandatory TLS is required, a support request must be submitted. We highly encourage to provide DANE on customer side.

anchor link Inline Outbound: Delivery from customer server to seppmail.cloud

  • All seppmail.cloud hostnames have TLSA record, allowing DANE verification if the sending server supports it.
  • All our systems support opportunistic TLS by default.
  • If a customer wants to enforce TLS but cannot use DANE, then a support request must be submitted.

anchor link Inline Outbound: Delivery from seppmail.cloud to recipient

  • If a recipient domain supports DANE, then TLS is enforced via DANE.
  • If a recipient domain supports MTA-STS, then TLS is enforced via MTA-STS.
  • If a recipient domain supports both DANE and MTA-STS, then DANE is used.
  • If a recipient domain supports neither DANE nor MTA-STS, then opportunistic TLS is used. Connections to M365 will always enforce TLS.
  • If a recipient domain supports neither DANE nor MTA-STS but mandatory TLS is required, a support request must be submitted. Please note that such a change will affect all seppmail.cloud customers. As a better option we highly encourage to provide DANE or MTA-STS on recipient side.