Secure mail routing over TLS


Feb 2, 2011
We have relationships with some banks that are trying to implement some secure email. Is there any method that would force the server to send emails via TLS when sending email to a specific domain?

We basically need to require that an email be secure from
user -> mail server
and from
mail server -> bank's server.

I'm not entirely familiar with what happens after the email leaves my email program. If I send a message over TLS or SSL outgoing connection, does the email leave the mail server also over a secure connection? I have no problem implementing TLS from the client to the mail server. It's after it gets to the mail server that I am unclear on.

Any help on this would be appreciated.


Well-Known Member
Apr 27, 2006
Disillusioned in England
cPanel Access Level
Root Administrator
There are a bunch of things that impact here, if you're using IMAP for the mailbox in question you'll want to disable plaintext auth and the non secure protocol in Configure Dovecot - Version 66 Documentation - cPanel Documentation so that the message is copied to the sent folder securely

In exim itself, you can disable weak ciphers and mandate secure connections security from a sending client perspective.

Things can get a bit more complicated when talking about the message's transmission between servers. Some recipients may mandate a certificate signed by a specific CA is in place rather than the self signed service certificate put in place by cPanel by default before accepting connections. Have a read of 41. Encrypted SMTP connections using TLS/SSL

It is not necessary to set any options to have TLS work in the smtp transport. If Exim is built with TLS support, and TLS is advertised by a server, the smtp transport always tries to start a TLS session. However, this can be prevented by setting hosts_avoid_tls (an option of the transport) to a list of server hosts for which TLS should not be used.

If you do not want Exim to attempt to send messages unencrypted when an attempt to set up an encrypted connection fails in any way, you can set hosts_require_tls to a list of hosts for which encryption is mandatory. For those hosts, delivery is always deferred if an encrypted connection cannot be set up. If there are any other hosts for the address, they are tried in the usual way.

When the server host is not in hosts_require_tls, Exim may try to deliver the message unencrypted. It always does this if the response to STARTTLS is a 5xx code. For a temporary error code, or for a failure to negotiate a TLS session after a success response code, what happens is controlled by the tls_tempfail_tryclear option of the smtp transport. If it is false, delivery to this host is deferred, and other hosts (if available) are tried. If it is true, Exim attempts to deliver unencrypted after a 4xx response to STARTTLS, and if STARTTLS is accepted, but the subsequent TLS negotiation fails, Exim closes the current connection (because it is in an unknown state), opens a new one to the same host, and then tries the delivery unencrypted.
Personally, if you really want secure email you need to wrap the postcard in an envelope as it were with end to end encryption, but requirements will vary quite drastically depending on the endpoint you're dealing with. I'm sure Michael will be along in a bit to correct anything above that needs it :)
Last edited by a moderator:


Staff member
Apr 11, 2011
Hello :)

The options presented to you in the previous post are accurate. However, note that those changes are global and not on a per-domain basis. There are no native features to implement such changes on a per-domain basis.

In addition, if you would like encryption for the actual emails and not just the authentication, you can use technologies such as PGP to sign and encrypt individual messages. This would involve the sender and receiver setting up their own email clients to utilize individual message encryption.

Thank you.