Tip

Using TLS encryption

Although e-mail is an integral part of modern business, it still relies on insecure transport protocols that were designed before anyone could predict how important e-mail would become. However, network administrators can find some security and privacy assurance in the Transport Layer Security

    Requires Free Membership to View

(TLS) encryption and authentication protocol.

TLS is a variation of the tried-and-true Secure Sockets Layer (SSL) protocol that we use to protect Web traffic. Using TLS to encrypt communications between two e-mail gateways has a number of security benefits. First, each mail server authenticates to the other, making it harder to send spoofed e-mail. Second, the contents of the e-mails sent between the two servers are encrypted, protecting them from prying eyes while in transit. Finally, the encryption of the conversation between the two hosts makes it exceedingly difficult for an attacker to tamper with the e-mail's contents. TLS is certainly no panacea, but it can add an additional layer of security to your e-mail infrastructure without too much fuss.

Here are five steps to help you get started:

  1. Understand the limits of TLS when compared to other forms of e-mail encryption (like PGP and S/MIME). TLS protects the connection from your gateway to the first destination gateway. If there are intermediate hops when mail is forwarded from one gateway to another, the protection afforded by TLS is lost after the first hop. For example, TLS is a good choice for two businesses that communicate frequently as long as both gateways communicate directly.
  2. Make sure the organization on the other end of the connection is able and willing to set up TLS. Like many things in life, encryption is no fun alone. If your gateway is configured to use TLS, but the recipient's is not, e-mail traffic to that destination will be transmitted without authentication or encryption.
  3. Get a digital certificate to identify your e-mail server. While you can create your own self-signed certificate, using a cert issued by a trusted organization will make it easier for e-mail partners to trust your server's identity.
  4. Configure your e-mail gateway to support TLS connections with hosts that are TLS capable. This will mean granting the gateway access to your new certificate. If you are using Sendmail, you can find a clear discussion on how to set up the gateway at http://www.sendmail.org/~ca/email/starttls.html. Postfix users can consult http://www.postfix.org/TLS_README.html and Microsoft Exchange users can find information at http://support.microsoft.com/default.aspx?scid=kb;en-us;829721.

  5. Educate your users to recognize the presence or absence of the e-mail header that tells them an e-mail came in over a TLS connection. The following is an example of the received header from a message sent via TLS:
    Received: from mail.uexport.com (mail.uexport.com[192.168.1.1]) by mail.lint.com(8.12.9/8.12.9) with ESMTP id h0UGn9P7001230 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=OK) for ; Sun 17 Jul 2005 15:39:10 -0500.

    The portion of the header in bold type indicates the message came in with 168 bit DES encryption from a server that presented a valid certificate.

More Information

Learn five specific Web-based e-mail risks and a design strategy for coping with them.

Take this quiz and learn how
much you know about securing your organization's e-mail.

Once you have implemented TLS on your mail server, you can also use it to address other mail-related issues, such as who has permission to relay mail through your server and which mail servers are allowed to connect to yours.

Although TLS is not perfect and it addresses only some of e-mail's security problems, it is a good e-mail security option that is based on non-bleeding edge technology. If your concerns about e-mail transfers fit the point-to-point model that TLS addresses, it can be an excellent way to add security to your e-mail.

About the Author
Al Berg, CISSP, CISM is the Director of Information Security for Liquidnet (www.liquidnet.com). Liquidnet is the leading electronic venue for institutional block equities trading. According to INC. magazine in 2004, Liquidnet was the fastest growing privately held financial services company in the US and the 4th fastest growing privately held company in the US across all industries.

This was first published in July 2005

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.