Whenever I see a red lock icon in gmail, I thought the sender doesn't have SSL configured.
But one person told me only server (gmail in our case) SSL is enough?
Does that mean the sender don't need to configure any SSL at all and can communicate with gmail over SSL since gmail already supports it? Or both party need SSL to communicate in SMTP?
If one party SMTP SSL is enough why do some companies still deliver the message as plain text?
Mail delivery is done hop by hop and not end to end. This means a typical sender in a company delivers its mail via SMTP (or some proprietary protocol) to the mail server which then delivers it via SMTP to the next mail server etc until the final mail server gets the mail and stores it. In some cases this can involves many hops which not only include simple mail transfer agents but also mail filters, firewalls or similar.
SSL can be done at each of the different delivery steps or it can be omitted. If it is done it needs to be support by both the sending MTA (as SSL client) and the receiving MTA (as SSL server). gmail actually does not now about all these steps. The red lock is only shown if TLS was not used on the last step of delivery, no matter if the previous delivery steps used TLS. And it will not be shown if the last step used TLS but some previous steps did not.
