Toward Better Privacy in Email - SMTP over TLS

Electronic surveillance of email and other communications is unfortunately a fact of life these days. It seems that not a week goes by where we don’t hear some new report that “they” are listening to what we once thought to be our private messages and phone calls, and this has folks rightly concerned about just how much “they” might know. While there have been some extreme reactions to these reports, such as a surge in typewriter sales in Germany, mailbox providers of late have been taking the more measured approach of supporting encryption of inbound and outbound mail to make it harder for prying eyes to read it. In this article, I’ll discuss how they’re doing it and what you need to know to take advantage of it.

SMTP over TLS – What Is It?

First described in RFC 2487, and later updated in RFC 3207, SMTP over Transport Layer Security (TLS) defines a method for exchanging encrypted email either between a client and a server or between two servers. The TLS protocol itself has its own RFC (6176), and is an extension of the Secure Sockets Layer (SSL) protocol. SSL is the protocol that allows for encrypted traffic between a website and a browser (when the web address starts with https), and TLS works in a similar fashion for email.

Mailbox providers have for a number of years now supported the ability of their users to encrypt their outbound mail; if you’ve ever been in a position where you’ve had to configure your outbound mail settings to use port 465 on your provider’s server, you were using SMTP over TLS. This solution was limited to just encrypting the traffic between your computer (or tablet, or phone) and your provider’s server; your provider was most likely still sending the message on to its remote destination “in the clear”. Mailbox providers are now supporting the next step in the process, specifically encrypting the mail as it’s sent to the destination server. As this Google website shows, many of the largest sites on the Internet are now encrypting their email traffic.

Do I Have To Encrypt My Mail?

At the time of this writing, no, you do not have to encrypt your mail (although I’ll argue in a subsequent blog post that you should). SMTP over TLS comes in two “flavors” – Required and Opportunistic, and the difference between the two is simple. With Required, the two servers will not exchange mail if it cannot be satisfactorily encrypted; with Opportunistic, an encrypted connection will be negotiated if both servers support it, but the sending server can fall back to transmitting the message unencrypted if no encryption is available. At this time, Opportunistic TLS is far and away the more common of the two; Required TLS is only in place where a private agreement has been made between two sites.

How Do I Know Which Sites Support Encryption?

The answer to this is pretty simple, really; there is no list, and it’s not something you have to know anyway before the message is sent. The ESMTP protocol defines a way for a server to advertise TLS support during the transaction during the early greeting phase. When the sending server connects to the receiving server and issues the “EHLO” command, the receiving server will reply with a list of ESMTP commands that it supports; if one of those replies is “250-STARTTLS”, then the receiving server is announcing that it supports encryption of the connection.

How Do I Turn On Encryption For My Mail?

The answer to this will depend on the mail server software that you and/or your ESP have deployed. Most mail server software supports SMTP over TLS, so it’ll just be a matter of finding the correct switch, dial, or knob to fiddle with. Just make sure that you’re setting it so that if encryption fails, your mail will still send unencrypted (i.e., Opportunistic TLS); there are still enough sites out there that don’t support it, and until it’s required everywhere, you don’t want to have mail failing just because it couldn’t be encrypted.

Conclusion

Privacy is an ongoing concern with electronic communications, and SMTP over TLS is one of the ways the email industry is addressing this concern. There will be much more work to be done throughout the industry to bolster defenses against electronic surveillance, but encrypting all mail sent across the public Internet is a key step along the way to ensuring the highest levels of security for data, no matter its level of sensitivity. Hopefully this blog post and the linked articles will convince you to move in this direction, but if you have doubts, or any questions, feel free to contact me at eig-blog@returnpath.com or just comment below.