The number of organizations that I see where they accept TLS due to having some kind of email SPAM or AV service but don’t have TLS in use for inbound or outbound email on their server is more than I would like to admit. For example, will TLS always be used? Is there a fallback to an encryption or delivery provider in situations where TLS is not available or is there even support of TLS for sending messages? The question that needs to be asked of the recipient’s IT team is about priority of use.
Just because a message is received from someone over TLS there is no guarantee that the recipient’s sending email server will use TLS encryption to send a reply. TLS and RepliesĪs an email recipient sending a reply, we can have a scenario where the recipient needs to reply securely. So it is important to ask recipients where auto TLS delivery or a forced TLS delivery is in place, to see if true end-to-end TLS is implemented, or if there is a gap. Just because a sender sent the message and something received it via TLS does not mean that the whole connection to the receiving server is encrypted. The question needs to be asked does SPAM or Anti-Virus service actually sends messages to the receiving server over TLS or not. We know that those services or appliances look at messages and if they are deemed “OK” they are then delivered to the receiving mail server. Most companies have some kind of SPAM and Anti-Virus service implemented. This is a VERY common misconception that while mostly accurate needs to have some additional questions asked of the recipient mail server. It’s assumed that if two servers have TLS then the message is secure and they don’t need to worry about anything. When we talk about servers we know that if TLS is used between servers then that connection is secure.
0 kommentar(er)
