SMTP TLS Policy
CipherMail uses Postfix (MTA) for sending and receiving email. The default client TLS policy will connect to external SMTP servers via TLS if the other SMTP server supports TLS. This is knows as opportunistic TLS. With opportunistic TLS, a TLS connection will be setup even if the certificate of the other SMTP server is not trusted. Using TLS, even if the connection is not trusted, is better than not using TLS at all.
Tip
The main difference between TLS and S/MIME or PGP is that TLS only encrypts the communication channel and not the email itself. With TLS, if the email is stored on a mail server, it will be stored in plain text. With full message encryption like S/MIME or PGP, the email itself will be encrypted. However, S/MIME or PGP do not encrypt the communication channel. The meta information, like sender and recipients will therefore not be encrypted. It’s therefore advised to combine S/MIME or PGP with TLS.
Connecting to an SMTP server without TLS or without validating the certificate, can result in a “man in the middle” attack. If a connection to an external SMTP server should only be setup if the connection is trusted, an SMTP TLS policy for that domain should be configured.
To create a TLS policy for a domain, use the following procedure:
Login to CipherMail admin GUI
Open ” MTA lookup tables” page ()
Click Add lookup table to open the “Add MTA lookup table” page
Set “Map Type” to “hash”
Set “Name” to “tls-policy”
For every external domain for which a TLS policy should be configured, add a TLS policy line similar to:
example.com:25 verifySee below for an explanation of policy lines
Click Add to add the new lookup table
Open “MTA config file” page (, then click MTA config file)
Add the following lines to the end of postfix config file:
smtp_tls_policy_maps = hash:${maps_d_dir}/hash-tls-policy.mapClick Apply
Policy line
A TLS policy line configures how a TLS connection to a specific domain will be validated. A policy line has the following structure:
DOMAIN POLICY
Where DOMAIN is the domain name of the external SMTP server and POLICY is the TLS policy to use.
Note
The gateway uses Postfix for the SMTP server and client. For all details and more extensive documentation of the TLS policy used by Postfix, see the Postfix documentation http://www.postfix.org/TLS_README.html
DOMAIN
The domain is the fully qualified domain name of external mail domain. The policy will be used if an email is sent to that domain irrespective of the hostname of the MX records. If the domain is surrounded by [], the policy will only be used if a connection is established to a server with that hostname.
Example:
Suppose the TLS policy is the following:
ciphermail.com verify [tls.example.com] verify match=alternative.com
And suppose the MX record for ciphermail.com is:
ciphermail.com IN MX 10 mail.ciphermail.com
And the following transport rule was added:
other.com smtp:[tls.example.com]
If an email is sent to info@ciphermail.com, the email will be delivered to mail.ciphermail.com only if the TLS certificate used by mail.ciphermail.com is trusted and has the correct domain domain name.
If an email is sent to info@other.com, the mail will be delivered to the SMTP server tls.example.com (because there was a transport rule). Because the TLS policy line for tls.example.com is surrounded by [], the explicit TLS policy for tls.example.com will be used. Because of the additional match rule, the TLS connection will only be established if the TLS certificate was issued to alternative.com.