SMTP TLS Policy Pro/Ent only

CipherMail uses Postfix (MTA) for sending and receiving email. The default client TLS policy will connect to external SMTP servers via TLS if the other SMTP server supports TLS. This is knows as opportunistic TLS. With opportunistic TLS, a TLS connection will be setup even if the certificate of the other SMTP server is not trusted. Using TLS, even if the connection is not trusted, is better than not using TLS at all.

Tip

The main difference between TLS and S/MIME or PGP is that TLS only encrypts the communication channel and not the email itself. With TLS, if the email is stored on a mail server, it will be stored in plain text. With full message encryption like S/MIME or PGP, the email itself will be encrypted. However, S/MIME or PGP do not encrypt the communication channel. The meta information, like sender and recipients will therefore not be encrypted. It’s therefore advised to combine S/MIME or PGP with TLS.

Connecting to an SMTP server without TLS or without validating the certificate, can result in a “man in the middle” attack. If a connection to an external SMTP server should only be setup if the connection is trusted, an SMTP TLS policy for that domain should be configured.

To create a TLS policy for a domain, use the following procedure:

  1. Login to CipherMail admin GUI

  2. Open ” MTA lookup tables” page (Admin ‣ MTA ‣ Lookup tables)

  3. Click Add lookup table to open the “Add MTA lookup table” page

  4. Set “Map Type” to “hash”

  5. Set “Name” to “tls-policy”

  6. For every external domain for which a TLS policy should be configured, add a TLS policy line similar to:

    example.com:25 verify

    See below for an explanation of policy lines

  7. Click Add to add the new lookup table

  8. Open “MTA config file” page (Admin ‣ MTA ‣ Config, then click MTA config file)

  9. Add the following lines to the end of postfix config file:

    smtp_tls_policy_maps = hash:${maps_d_dir}/hash-tls-policy.map

  10. Click Apply

Policy line

A TLS policy line configures how a TLS connection to a specific domain will be validated. A policy line has the following structure:

DOMAIN POLICY

Where DOMAIN is the domain name of the external SMTP server and POLICY is the TLS policy to use.

Note

The gateway uses Postfix for the SMTP server and client. For all details and more extensive documentation of the TLS policy used by Postfix, see the Postfix documentation http://www.postfix.org/TLS_README.html

DOMAIN

The domain is the fully qualified domain name of external mail domain. The policy will be used if an email is sent to that domain irrespective of the hostname of the MX records. If the domain is surrounded by [], the policy will only be used if a connection is established to a server with that hostname.

Example:

Suppose the TLS policy is the following:

ciphermail.com verify
[tls.example.com] verify match=alternative.com

And suppose the MX record for ciphermail.com is:

ciphermail.com IN MX 10 mail.ciphermail.com

And the following transport rule was added:

other.com  smtp:[tls.example.com]

If an email is sent to info@ciphermail.com, the email will be delivered to mail.ciphermail.com only if the TLS certificate used by mail.ciphermail.com is trusted and has the correct domain domain name.

If an email is sent to info@other.com, the mail will be delivered to the SMTP server tls.example.com (because there was a transport rule). Because the TLS policy line for tls.example.com is surrounded by [], the explicit TLS policy for tls.example.com will be used. Because of the additional match rule, the TLS connection will only be established if the TLS certificate was issued to alternative.com.