Using TLS encryption

Although e-mail is an integral part of modern business, it still relies on insecure transport protocols that were designed before anyone could predict how important e-mail would become. However, network administrators can find some security and privacy assurance in the Transport Layer Security (TLS) encryption and authentication protocol.

TLS is a variation of the tried-and-true Secure Sockets Layer (SSL) protocol that we use to protect Web traffic. Using TLS to encrypt communications between two e-mail gateways has a number of security benefits. First, each mail server authenticates to the other, mak...

BROWSE BY TAG Web Security Advisor,   Application and Platform Security,   Email Security Guidelines, Encryption and Appliances,   Email Protection,   VIEW ALL TAGS

RELATED CONTENT Web Security Advisor DNS rebinding defenses still necessary, thanks to Web 2.0 New defenses for automated SQL injection attacks PCI compliance and Web applications: Code review or firewalls? Worst practices: Bad security incidents to avoid Web scanning and reporting best practices Social networking website threats manageable with good enterprise policy Enterprise security in 2008: Building trust into the application development process PCI DSS Section 6: A plan for tackling application security Making the case for Web application vulnerability scanners Preparing for uniform resource identifier (URI) exploits Email Security Guidelines, Encryption and Appliances Information security book excerpts and reviews How to confirm the receipt of an email with security protocols Best Email Security Products Can an IP spoofing tool be used to spam SPF servers? WatchGuard acquires email and Web security vendor BorderWare McAfee to acquire email SaaS vendor MX Logic What does 'invoked by uid 78' mean? How to configure firewall ports for webmail system implementation Fierce competition prompted new Cisco email security options Cisco brings email security appliances closer to SaaS

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary asymmetric cryptography  (SearchSecurity.com) challenge-response system  (SearchSecurity.com) cryptographic checksum  (SearchSecurity.com) data encryption/decryption IC  (SearchSecurity.com) elliptical curve cryptography  (SearchSecurity.com) Escrowed Encryption Standard  (SearchSecurity.com) MPPE  (SearchSecurity.com) Quiz: Cryptography  (SearchSecurity.com) session key  (SearchSecurity.com) Twofish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

ing it harder to send spoofed e-mail. Second, the contents of the e-mails sent between the two servers are encrypted, protecting them from prying eyes while in transit. Finally, the encryption of the conversation between the two hosts makes it exceedingly difficult for an attacker to tamper with the e-mail's contents. TLS is certainly no panacea, but it can add an additional layer of security to your e-mail infrastructure without too much fuss.

Here are five steps to help you get started:

1. Understand the limits of TLS when compared to other forms of e-mail encryption (like PGP and S/MIME). TLS protects the connection from your gateway to the first destination gateway. If there are intermediate hops when mail is forwarded from one gateway to another, the protection afforded by TLS is lost after the first hop. For example, TLS is a good choice for two businesses that communicate frequently as long as both gateways communicate directly.
2. Make sure the organization on the other end of the connection is able and willing to set up TLS. Like many things in life, encryption is no fun alone. If your gateway is configured to use TLS, but the recipient's is not, e-mail traffic to that destination will be transmitted without authentication or encryption.
3. Get a digital certificate to identify your e-mail server. While you can create your own self-signed certificate, using a cert issued by a trusted organization will make it easier for e-mail partners to trust your server's identity.
4. Configure your e-mail gateway to support TLS connections with hosts that are TLS capable. This will mean granting the gateway access to your new certificate. If you are using Sendmail, you can find a clear discussion on how to set up the gateway at http://www.sendmail.org/~ca/email/starttls.html. Postfix users can consult http://www.postfix.org/TLS_README.html and Microsoft Exchange users can find information at http://support.microsoft.com/default.aspx?scid=kb;en-us;829721.

5. Educate your users to recognize the presence or absence of the e-mail header that tells them an e-mail came in over a TLS connection. The following is an example of the received header from a message sent via TLS:
   

   The portion of the header in bold type indicates the message came in with 168 bit DES encryption from a server that presented a valid certificate.

Once you have implemented TLS on your mail server, you can also use it to address other mail-related issues, such as who has permission to relay mail through your server and which mail servers are allowed to connect to yours.

Although TLS is not perfect and it addresses only some of e-mail's security problems, it is a good e-mail security option that is based on non-bleeding edge technology. If your concerns about e-mail transfers fit the point-to-point model that TLS addresses, it can be an excellent way to add security to your e-mail.

About the Author
Al Berg, CISSP, CISM is the Director of Information Security for Liquidnet (www.liquidnet.com). Liquidnet is the leading electronic venue for institutional block equities trading. According to INC. magazine in 2004, Liquidnet was the fastest growing privately held financial services company in the US and the 4th fastest growing privately held company in the US across all industries.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.