2

There are a few threads on STARTTLS but none seem to provide a clear overview of what STARTTLS can and can not do with respect to encrypting email in transit.

So my question is, can STARTTLS be configured to secure email sent between two organisations, such that the confidentiality of emails as they transit the Internet is maintained?

Where applicable include:

  • What limitations does STARTTLS have? And whether they can be worked around.
  • Are there risks STARTTLS is not suitable for?
  • What dependencies does STARTTLS have on other controls?

I think I already know the answer(s), but I am interested to see what I have not considered.

R15
  • 2,923
  • 1
  • 11
  • 21

1 Answers1

6

STARTTLS can help you to provide reliable encryption between two companies, but it will not do it in the default setup:

  • STARTTLS depends on the availability and the success of the STARTTLS command at the server MTA. Because the SMTP connection first starts without encryption an active man in the middle could simply modify the connection so that it looks like that STARTTLS is not available. The usual configuration of MTA in this cases is to continue without encryption. This means you have to configure your MTA explicitly do only allow encrypted connections for mails to a specific recipient domain.
  • Most MTA implement STARTTLS as a best effort and not most secure solution. This means they will try to validate the certificate of the peer but continue anyway if the certificate can not be validated. Thus you have to configure your MTA to do strict certificate validation and fail if the certificate is wrong. Note that there are often different settings on how the subject should be validated and you have to pick the right one.
  • Mail delivery between MTA uses MX records in the DNS. If DNS can be spoofed the sender MTA will connect to the attackers MTA instead and no certificate validation will help because the attacker probably has a valid certificate for his host. Thus you also need to secure the DNS lookup, that is either make sure that you use only DNSSec (which is often not implemented) or that you configure the peers MTA in your explicitly (i.e. don't rely on DNS).
  • And then there are companies which outsource the mail management, i.e. use custom domains with google mail or similar. In this case the mail will be decrypted already by the third party managing the mail and not by the final target.

As you can see, there are lot of problems and I'm sure that I've missed some. But even the one I mentioned are hard to fix properly. A better way to protect the mail communication between two companies might be to have a VPN. Or use a mail gateway which encrypts the mails on one side with PGP or S/MIME and decrypts the mails on the other side. In this case the actual transport security does not matter much, because the mail itself is encrypted independent of the transport. Such gateways are marketed as secure mail gateway or with similar names.

Even better would be end-to-end communication with PGP or S/MIME from user to user and not only domain to domain. But this is often too hard to manage so that automatic encryption when the mail leaves the company and automatic decryption when it is received are often easier to handle for the users.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • 1
    Is there anything like HSTS for SMTP? https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security i.e. a way of publishing that your site offers startTLS, and how long it will be supported for. The configuration aspect of mandating startTLS for specific sites is a major impediment to prevent MiTM attacks. – Steve Sether Dec 15 '15 at 16:58
  • @SteveSether: No, there is no such thing. One might use the existence of a DANE DNS record as a sign that STARTTLS should be used. But DANE depends on DNSSec again. – Steffen Ullrich Dec 15 '15 at 17:15