Forced (mandatory) TLS
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Plusnet Community
- :
- Forum
- :
- Help with my Plusnet services
- :
- :
- Forced (mandatory) TLS
Forced (mandatory) TLS
21-01-2022 10:15 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
I need to set up a secure email path with a particular correspondent. His end is already set up for forced TLS on certain addresses. We can currently correspond using TLS, but this is opportunistic and not guaranteed. I need to be able to used forced TLS on at least one email address (using a subdomain if necessary) dedicated to this purpose.
My domain is hosted on UK2.NET with most email addresses diverted to Plusnet mailboxes. I receive (POP3) and send (SMTP) via Plusnet's mail servers using Thunderbird as a client. I have one email address with a mailbox hosted on UK2. I have asked UK2 support if I could implement forced TLS on this and they said no.
Does anybody know of a straightforward way to achieve this. I only need it for a year or less and don't want to invest a great deal of time and money.
Paul
Re: Forced (mandatory) TLS
21-01-2022 10:21 AM - edited 21-01-2022 10:22 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Hi Paul, for what reason are you wanting to do this?
If you want to ensure that these emails are secure from snooping etc. then you may be better to look at encrypting them.
Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵
Re: Forced (mandatory) TLS
21-01-2022 11:04 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Hi Bob,
Thanks for the prompt response. This approach has been suggested by our correspondent as it complies with the NCSC requirements set out here: https://www.ncsc.gov.uk/guidance/using-tls-to-protect-data#section_13. I am not sure if OpenPGP would meet their standards.
Re: Forced (mandatory) TLS
27-01-2022 9:54 PM - edited 27-01-2022 9:57 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Is your recipient in a position to configure their end to only accept mail from your address if it is sent under TLS? The feasibility/complexity of doing this will depend on what mail platform they are using, Additionally, an MTA-STS policy can help but I don’t know if Plusnet’s servers work with it.
Going back to the question regarding what the goal is, is the threat of an attack against opportunistic TLS really considered to be higher than compromise of the data during the interim forwarding step or when at rest on your machine?
Note that NCSC guidance is just that - guidance - and other methods of protecting data can usually be considered to provide similar levels of risk mitigation.
Re: Forced (mandatory) TLS
28-01-2022 9:27 AM - edited 28-01-2022 9:31 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Thanks MJN for your response. I think was have, as yesterday, found another way of solving our problem by using a secure messaging system with two factor authentication for login.
With regards to our goal, it was to ensure that messages containing sensitive information were always sent encrypted. Without Forced TLS, if the receiver was not using TLS, the messages would be sent in the clear without warning. Our correspondent could set Forced TLS at their end, but still required the assurance that we would not deliver if this was not working for any reason. Also the converse, we needed to ensure that our end (i.e. Plusnet) would refuse incoming email sent unencrypted.
We are obliged to follow NCSC guidance because our contract requires it. We have taken appropriate steps, which I won't go into here, to protect the data at rest on our machines.
Thanks again for your time.
Re: Forced (mandatory) TLS
28-01-2022 9:38 AM - edited 28-01-2022 9:40 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
@FanField wrote:
I think was have, as yesterday, found another way of solving our problem by using a secure messaging system with two factor authentication for login.
Okay that's good. Probably the easiest route to take when you can't directly influence both ends of the transport path (or all three in your case given UK2's involvement!).
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page