Policy-Enforced TLS

[C4talyst]

Hello, I have a client that would like to use Policy-Enforced TLS encryption when emails are sent from his domain to a specified remote domain. I know this is possible with cPanel as I've read about it in the past, however, I'm unable to find any notes on the web about setting it up. Has anyone done this before or have any pointers for me? Thanks!

 

[thobarn]

Hello, I have a client that would like to use Policy-Enforced TLS encryption when emails are sent from his domain to a specified remote domain. I know this is possible with cPanel as I've read about it in the past, however, I'm unable to find any notes on the web about setting it up. Has anyone done this before or have any pointers for me? Thanks!

There is not a magic statement you can add to config that will enable Policy-Enforced TLS, It is not a setting, it is a service. You need to use a third party service provider like Postini. If having plaintext messages on the server is not an issue, just use TLS (or whatever your MTA), which is there by default, ready to use. Otherwise get everyone involved a key, distribute the keys and the relevant policy (the one which you/your company wrote) to relevant people and encrypt/decrypt on send/receive, though some end-user training/discipline is required.

 

[C4talyst]

I'm pretty sure I can accomplish TLS email encryption between domains without a 3rd party service. I read an article on doing this w/ cPanel a couple of months ago and cannot locate it now. In the article they mentioned creating a config file, probably for Exim, that would accomplish this.

I'm still digging; if I get this figured out I will post an update.

 

[thobarn]

I'm pretty sure I can accomplish TLS email encryption between domains without a 3rd party service.

Re-read my post. I did not say you need 3rd party for TLS, I said

...Policy-Enforced TLS ... is a service. You need to use a third party service provider

I also said

just use TLS

So direct your email clients to ports 995/465 for (POP3)/(SMTP) respectively and you will be using SSL/TLS. Also note that when you use SSL/TLS it is not the emails that are encrypted but the connection between the sender/recipient and the mail server which is why I qualified that sentence

If having plaintext messages on the server is not an issue

.

 

[C4talyst]

Do I really need a 3rd party service for Policy-enforced TLS? My goal is for emails (not connections between client/server) to be encrypted when DOMAIN-X (hosted on my cpanel box) sends an email to DOMAIN-Y, hosted elsewhere w/ TLS support.

 

[C4talyst]

I'm still testing it, but this appears to have done the trick:

Exim force TLS for specific destination domain - Server Fault

 

[thobarn]

I'm still testing it, but this appears to have done the trick:

Sigh. Once again, it is the _connection_ between the client and the email server that is encrypted, not the emails. TLS = Transport Layer Security. Exim does NOT support encryption of emails it transports. The condition encrypted referred to in Exim configuration is about the connection.

Exim force TLS for specific destination domain - Server Fault

This is the usual sciolistic drivel you get nowadays at many places on the Internet. What is Exim encrypting the email with? What keys it is using for encryption/decryption of the emails. How does it obtain the recipients' keys? Where does it keep the senders' keys?

Do not take my word for it, go and ask the developers

Edited to add: Here, someone already asked, OP was at least hoping to use another program to do the encryption/decryption.

 

[C4talyst]

Ahh crud, I see what you're saying...I misinterpreted what that page was explaining. I guess I'll set them up w/ postini...and thanks.