Monday, February 13, 2012

How to Use TLS with SMTP to Secure Your Email

Many of us Microsoft Exchange Server administrators have learned to ignore a simple fact: Most email is easily read in transit. You've no doubt heard the chestnut that sending SMTP email is equivalent to sending a postcard; anyone who can access the postcard can read its contents (thus leading to fascinating historical artifacts such as the stamp code for concealing amorous messages in plain sight).
How did this insecure transport method come about? The engineers who originally designed SMTP were working from a very different set of assumptions about how email would be used, who would use it, and how the Internet would be operated and maintained.
Various proposals have been offered to update the security of SMTP traffic by changing, extending, or even replacing basic SMTP to provide authentication, nonrepudiation, and confidentiality. However, SMTP deployment worldwide has reached critical mass; it's very unlikely that the protocol itself will be superseded by something more secure. In order to preserve confidentiality and nonrepudiation, then, we need to focus on methods that work within the confines of existing SMTP deployments.
One solution is to encrypt mail on the client so that it's protected before it's ever seen by an SMTP server. That's exactly what S/MIME does. However, S/MIME deployment can be complex. In exchange for its complexity, it gives us end-to-end protection that can include sender authentication, confidentiality, and nonrepudiation. For many sites, though, S/MIME is overkill; it would be great if there were a way to easily enable encryption for message transport only. This level of protection would be enough to prevent eavesdroppers, even those with access to a target network, from reading messages in transit between servers.
As it happens, there is a way to provide exactly this protection. Exchange Server and many other email servers support the use of Transport Layer Security (TLS) encryption along with SMTP. Just as you can use SSL (a close relative of TLS) to protect an HTTP session, you can use TLS with SMTP to provide both confidentiality and authentication for email traffic.
When you configure a server to both offer and accept, but not require, TLS for SMTP, it's known as opportunistic TLS. Exchange 2003 didn't support opportunistic TLS, but Exchange 2007, Exchange 2010, and Microsoft Office 365 all do. In fact, you can enable this protection even if you have only the default set of self-signed certificates, although you'll find that many servers won't accept them. For that reason, it's a good idea to obtain certificates from a commercial CA for use with SMTP.
The setup process for enabling TLS with SMTP is simple: Obtain a suitable certificate, then install it using the Exchange certificate wizard or the Enable-ExchangeCertificate cmdlet. As soon as you've done so, Exchange will start accepting TLS requests, as signaled by the presence of the STARTTLS SMTP verb, as well as sending STARTTLS itself when communicating with other TLS-capable servers.
Because this is such a simple change to make, and because it provides an immediate privacy benefit, I encourage you to do it sooner rather than later. There's no downside.


  1. Thanks , I've recently been searching for info approximately this subject for ages and yours is the best I've found
    out till now. However, what concerning the bottom line?
    Are you positive concerning the supply?
    Feel free to surf my web site - roulette for money

  2. Hello! This is my first visit to your blog! We are a team of volunteers and starting a new project in a community in the same niche.
    Your blog provided us useful information to work on.

    You have done a outstanding job!
    Also see my web page :: lobstermania blackjack

  3. Just desire to say your article is as surprising. The clearness in your post is simply excellent and i could assume you're an expert on this subject. Well with your permission allow me to grab your feed to keep up to date with forthcoming post. Thanks a million and please keep up the gratifying work.
    Also visit my blog ; best online usa casinos

  4. I’m not that much of a online reader to be honest but your
    blogs really nice, keep it up! I'll go ahead and bookmark your website to come back later on. Cheers
    My blog ; earn extra money online

  5. I'm not sure why but this web site is loading extremely slow for me. Is anyone else having this problem or is it a problem on my end? I'll check back later and see
    if the problem still exists.
    Feel free to surf my weblog :: How To Make Money Illegally Fast

  6. My relatives all the time say that I am wasting my time here
    at net, except I know I am getting knowledge
    daily by reading thes nice articles.
    my website > what can i do to make money from home

  7. Nice post. I used to be checking continuously this weblog and I'm impressed! Extremely helpful info specially the final phase :) I take care of such information much. I was looking for this certain info for a very long time. Thanks and good luck.
    Feel free to surf my site ; online slots for money

  8. I create a comment when I like a post on a site or if I have something to
    contribute to the conversation. Usually it's a result of the passion displayed in the post I browsed. And on this article "How to Use TLS with SMTP to Secure Your Email". I was actually moved enough to post a comment :) I actually do have 2 questions for you if it's allright.
    Is it just me or does it look like like a few of the responses come
    across as if they are left by brain dead individuals? :-P
    And, if you are writing at other online sites, I would like to keep up
    with anything new you have to post. Could you list all of all your shared sites like your Facebook page, twitter feed, or linkedin profile?
    Have a look at my web blog ... usa online casinos

  9. This web site definitely has all of the info I needed concerning this subject
    and didn't know who to ask.
    Stop by my blog post online casinos that

  10. Yesterday, while I was at work, my sister stole my apple ipad and tested to see if it can survive a thirty foot drop, just so
    she can be a youtube sensation. My iPad is now broken and
    she has 83 views. I know this is completely off topic but I had to share
    it with someone!
    my website - online penny slots

  11. Hello, I check your blog regularly. Your writing style is witty, keep it up!
    Also see my web site > real money slots online

  12. I am sure this post has touched all the internet people, its really really good article on building up
    new website.

    Here is my web page: Odprawy Celne

  13. Good post. I learn something nеw and challеnging on websites I ѕtumbleupon every day.

    Ιt's always exciting to read through articles from other authors and use a little something from their websites.

    Feel free to visit my site ::

  14. My coder is trying to persuade me to move to .net from PHP.
    I have always disliked the idea because of the expenses.
    But he's tryiong none the less. I've been using Movable-type on a number of websites for
    about a year and am anxious about switching to another platform.
    I have heard fantastic things about Is there
    a way I can import all my wordpress posts into it? Any
    kind of help would be really appreciated!

    Also visit my web-site :: Gucci Sito Ufficiale Scarpe

  15. Thanks for sharing your thoughts about distraction.

    My web blog; Michael Kors Bags

  16. Thanks very interesting blog!

    My weblog; Louis Vuitton Bags

  17. Good post. I will be going through some of these issues as well.

    Feel free to surf to my web-site; Nike Free Sko

  18. We are a group of volunteers and starting a new scheme
    in our community. Your web site
    offered us with valuable info to work on. You have done an impressive job and our entire community will be thankful to you.

  19. Whats up this is kind of of off topic but I was wanting to know
    if blogs use WYSIWYG editors or if you have to manually
    code with HTML. I'm starting a blog soon but have no coding knowledge so I wanted to get guidance from someone with experience. Any help would be greatly appreciated!

    Here is my homepage :: helpful resources

  20. certainly like your web-site however you need to test the spelling on several of your posts.
    A number of them are rife with spelling problems and I in finding it very
    troublesome to tell the truth however I'll certainly come back again.

    my weblog; Abercrombie France (

  21. Hi! This is kind of off topic but I need some help from an established blog.
    Is it difficult to set up your own blog? I'm not very techincal but I can figure things out pretty quick. I'm thinking about creating my own but I'm not sure where to start. Do you have any ideas or suggestions? Cheers

    Here is my blog Wholesale Jerseys Cheap

  22. It's actually very complicated in this full of activity life to listen news on TV, thus I just use internet for that reason, and obtain the newest information.

    my web page - Louis Vuitton Handbags Outlet

  23. I'm impressed, I have to admit. Seldom do I encounter a blog that's equally educative and interesting, and let me tell you, you have hit
    the nail on the head. The problem is something which too few people are
    speaking intelligently about. I'm very happy I came across this during my search for something regarding this.

    My blog post - Cheap Jerseys (

  24. Today, while I was at work, my sister stole my iPad and tested to see if it can survive a 25 foot drop, just so she can be a youtube sensation.
    My apple ipad is now broken and she has 83 views. I know this is totally off
    topic but I had to share it with someone!

    Here is my homepage: clicking Here