cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Forced (mandatory) TLS

FanField
Newbie
Posts: 4
Registered: ‎19-01-2022

Forced (mandatory) TLS

‎21-01-2022 10:15 AM

I need to set up a secure email path with a particular correspondent.  His end is already set up for forced TLS on certain addresses.  We can currently correspond using TLS, but this is opportunistic and not guaranteed.  I need to be able to used forced TLS on at least one email address (using a subdomain if necessary) dedicated to this purpose.

My domain is hosted on UK2.NET with most email addresses diverted to Plusnet mailboxes.  I receive (POP3) and send (SMTP) via Plusnet's mail servers using Thunderbird as a client.  I have one email address with a mailbox hosted on UK2.  I have asked UK2 support if I could implement forced TLS on this and they said no.

Does anybody know of a straightforward way to achieve this.  I only need it for a year or less and don't want to invest a great deal of time and money.

Paul

Tags (1)
Message 1 of 6
(841 Views)
0 Thanks
5 REPLIES 5
bobpullen
Community Gaffer
Community Gaffer
Posts: 16,887
Thanks: 4,979
Fixes: 316
Registered: ‎04-04-2007

Re: Forced (mandatory) TLS

‎21-01-2022 10:21 AM - edited ‎21-01-2022 10:22 AM

Hi Paul, for what reason are you wanting to do this?

If you want to ensure that these emails are secure from snooping etc. then you may be better to look at encrypting them.

Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵
Message 2 of 6
(841 Views)
0 Thanks
FanField
Newbie
Posts: 4
Registered: ‎19-01-2022

Re: Forced (mandatory) TLS

‎21-01-2022 11:04 AM

Hi Bob,

 

Thanks for the prompt response.  This approach has been suggested by our correspondent as it complies with the NCSC requirements set out here: https://www.ncsc.gov.uk/guidance/using-tls-to-protect-data#section_13.  I am not sure if OpenPGP would meet their standards.

Message 3 of 6
(826 Views)
0 Thanks
MJN
Pro
Posts: 1,318
Thanks: 161
Fixes: 5
Registered: ‎26-08-2010

Re: Forced (mandatory) TLS

‎27-01-2022 9:54 PM - edited ‎27-01-2022 9:57 PM

Is your recipient in a position to configure their end to only accept mail from your address if it is sent under TLS? The feasibility/complexity of doing this will depend on what mail platform they are using, Additionally, an MTA-STS policy can help but I don’t know if Plusnet’s servers work with it.

Going back to the question regarding what the goal is, is the threat of an attack against opportunistic TLS really considered to be higher than compromise of the data during the interim forwarding step or when at rest on your machine?

Note that NCSC guidance is just that - guidance - and other methods of protecting data can usually be considered to provide similar levels of risk mitigation.

Message 4 of 6
(717 Views)
0 Thanks
FanField
Newbie
Posts: 4
Registered: ‎19-01-2022

Re: Forced (mandatory) TLS

‎28-01-2022 9:27 AM - edited ‎28-01-2022 9:31 AM

Thanks MJN for your response.  I think was have, as yesterday, found another way of solving our problem by using a secure messaging system with two factor authentication for login. 

With regards to our goal, it was to ensure that messages containing sensitive information were always sent encrypted. Without Forced TLS, if the receiver was not using TLS, the messages would be sent in the clear without warning.  Our correspondent could set Forced TLS at their end, but still required the assurance that we would not deliver if this was not working for any reason.  Also the converse, we needed to ensure that our end (i.e. Plusnet) would refuse incoming email sent unencrypted.

We are obliged to follow NCSC guidance because our contract requires it.  We have taken appropriate steps, which I won't go into here, to protect the data at rest on our machines.

Thanks again for your time.

Message 5 of 6
(689 Views)
0 Thanks
MJN
Pro
Posts: 1,318
Thanks: 161
Fixes: 5
Registered: ‎26-08-2010

Re: Forced (mandatory) TLS

‎28-01-2022 9:38 AM - edited ‎28-01-2022 9:40 AM

@FanField wrote:

I think was have, as yesterday, found another way of solving our problem by using a secure messaging system with two factor authentication for login. 

Okay that's good. Probably the easiest route to take when you can't directly influence both ends of the transport path (or all three in your case given UK2's involvement!).

Message 6 of 6
(684 Views)
0 Thanks