cancel
Showing results for 
Search instead for 
Did you mean: 

Forced (mandatory) TLS

FanField
Newbie
Posts: 3
Registered: ‎19-01-2022

Forced (mandatory) TLS

I need to set up a secure email path with a particular correspondent.  His end is already set up for forced TLS on certain addresses.  We can currently correspond using TLS, but this is opportunistic and not guaranteed.  I need to be able to used forced TLS on at least one email address (using a subdomain if necessary) dedicated to this purpose.

My domain is hosted on UK2.NET with most email addresses diverted to Plusnet mailboxes.  I receive (POP3) and send (SMTP) via Plusnet's mail servers using Thunderbird as a client.  I have one email address with a mailbox hosted on UK2.  I have asked UK2 support if I could implement forced TLS on this and they said no.

Does anybody know of a straightforward way to achieve this.  I only need it for a year or less and don't want to invest a great deal of time and money.

Paul

Tags (1)
5 REPLIES 5
bobpullen
Community Gaffer
Community Gaffer
Posts: 16,852
Thanks: 4,922
Fixes: 315
Registered: ‎04-04-2007

Re: Forced (mandatory) TLS

Hi Paul, for what reason are you wanting to do this?

If you want to ensure that these emails are secure from snooping etc. then you may be better to look at encrypting them.

Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵

FanField
Newbie
Posts: 3
Registered: ‎19-01-2022

Re: Forced (mandatory) TLS

Hi Bob,

 

Thanks for the prompt response.  This approach has been suggested by our correspondent as it complies with the NCSC requirements set out here: https://www.ncsc.gov.uk/guidance/using-tls-to-protect-data#section_13.  I am not sure if OpenPGP would meet their standards.

MJN
Pro
Posts: 1,318
Thanks: 161
Fixes: 5
Registered: ‎26-08-2010

Re: Forced (mandatory) TLS

Is your recipient in a position to configure their end to only accept mail from your address if it is sent under TLS? The feasibility/complexity of doing this will depend on what mail platform they are using, Additionally, an MTA-STS policy can help but I don’t know if Plusnet’s servers work with it.

Going back to the question regarding what the goal is, is the threat of an attack against opportunistic TLS really considered to be higher than compromise of the data during the interim forwarding step or when at rest on your machine?

Note that NCSC guidance is just that - guidance - and other methods of protecting data can usually be considered to provide similar levels of risk mitigation.

FanField
Newbie
Posts: 3
Registered: ‎19-01-2022

Re: Forced (mandatory) TLS

Thanks MJN for your response.  I think was have, as yesterday, found another way of solving our problem by using a secure messaging system with two factor authentication for login. 

With regards to our goal, it was to ensure that messages containing sensitive information were always sent encrypted. Without Forced TLS, if the receiver was not using TLS, the messages would be sent in the clear without warning.  Our correspondent could set Forced TLS at their end, but still required the assurance that we would not deliver if this was not working for any reason.  Also the converse, we needed to ensure that our end (i.e. Plusnet) would refuse incoming email sent unencrypted.

We are obliged to follow NCSC guidance because our contract requires it.  We have taken appropriate steps, which I won't go into here, to protect the data at rest on our machines.

Thanks again for your time.

MJN
Pro
Posts: 1,318
Thanks: 161
Fixes: 5
Registered: ‎26-08-2010

Re: Forced (mandatory) TLS


@FanField wrote:

I think was have, as yesterday, found another way of solving our problem by using a secure messaging system with two factor authentication for login. 


Okay that's good. Probably the easiest route to take when you can't directly influence both ends of the transport path (or all three in your case given UK2's involvement!).