I have recently been requested to force TLS connections for one of my clients to a specific domain. (please see below. I host billybob.com)
Anyone know how to do that?
We?re requesting that your email system be configured to require TLS encryption for any outbound email sent to @sammyjammy.com.
We can easily configure the same setting on our side of things with regards to emails we send to @billybob.com, but when we configure this, we work with the respective business partner so we can configure it from both sides.
This is being requested so that all emails sent between us will be encrypted, and we won?t have to rely on end users manually using some sort of manual secure email system to encrypt their outbound emails whenever they send PHI, etc.
Welcome to Iw forums
I do not think email can do force tls. It is passive tls
To show this, the first connection is made over standard port 25, then if the server or client connecting can use tls, and is set to use tls first, the connection is upgraded to tls before any information is sent, i.e. Username, password data etc…
You could, I think use SMTP2, running on port 587, which is the port for tls but I would be careful to stop port 25
I hope that helps
Thank you for your quick reply, John.
I guess the folks at sammyjammy.com run their email through their own IT dept using a product like Barracuda which apparently has this capability. Please see: https://community.barracudanetworks.com/forum/index.php?/topic/21099-enforced-tls-per-domain/
FWIW… My understanding is the same as yours. i.e. A sending SMTP server requests a connection to a receiving SMTP server. The receiving SMTP server offers the protocols that can be used and the sending server picks from those. So, why the admins at sammyjammy.com don’t just reject everything except TLS is a mystery to me.
I was hoping that since the Barracuda seems to be able to enforce outbound TLS by domain, there was some underlying common SMTP server facility that I could take advantage of.
Many thanks, and apologies, I misunderstood the strict part of tls
I think you can change this from nodeworx, system settings, mta and on SMTP, there are various options, but there is no force tls, only on SMTP2, is it forced