| Forced Required TLS [message #88664] |
Mon, 23 April 2012 18:13  |
bishopsmate
Messages: 3
Registered: October 2011
|
|
|
|
I just got the following compliance form from a client. Can Connect be forced to Archive to the affiliates email server using TLS or as they put it Forced? Apparently they have an Exchange server that they do this on. Any help would be appreciated
Associates: With a Clients Email Server,
Please be advised that, effective September 30, 2011, all approved outside DBA (Doing Business As) email servers will be required to establish Domain Specific Mutual TLS (Transport Layer Security) Encryption between the server and Archive email system.
Mutual TLS Encryption will help ensure that personally identifiable information (PII) transferred via email between your DBA email system and Archive server (including emails that are systematically journaled to our Archive for SEC17a-4 compliance) is properly protected. Please note that Mutual TLS encryption will not encrypt emails to clients, vendors, or other outside email addresses.
Thanks
[Updated on: Mon, 23 April 2012 18:28] Report message to a moderator |
|
|
|
| Re: Forced Required TLS [message #88669 is a reply to message #88664] |
Mon, 23 April 2012 20:37  |
TorW
Messages: 44
Registered: November 2008
Location: Norway
|
|
|
|
|
If I understood this correctly and you haven't left anything out, they require the sender to be able to TLS-encrypt their transmission when archiving. Kerio Connect does this as long as you have a certificate installed on the server.
|
|
|
|
| Re: Forced Required TLS [message #88676 is a reply to message #88669] |
Tue, 24 April 2012 04:29 |
bishopsmate
Messages: 3
Registered: October 2011
|
|
|
|
What they want is that a protected mode of forcing tls on the collecting domain exchange server. If there were to be some malfunction in the receiving exchange server no email would be sent to that domain in an unencrypted format.
So in opportunistic mode usually a encryption email is sent and if it does not accept it reverts automatically to unencrypted.
This is a security mechanism that Exchange server had built in by adding the forced tls mode only.
Thanks
|
|
|
|
 Re: Forced Required TLS [message #88730 is a reply to message #88664] |
Wed, 25 April 2012 22:36 |
bishopsmate
Messages: 3
Registered: October 2011
|
|
|
|
Ok now that I have some days of research. I have found that Domain forced TLS is coming from the majority of our Financial industry clients.
This feature is demanded by Regulation as stated above in my first post. This could kill our business with Kerio if this feature is not added to Kerio Connect.
What we need to be able to do is force a tls session to a specific domain. Apparently there is a need from compliance to bounce the archive email delivered to the archiving Exchange server(Does support Force TLS), in our case if the tls session is detected it would send otherwise no fallback would be used and the email would be bounced.
There is in some cases system failures for whatever reason and email should not be sent in the case of failure for compliance. So opportunistic TLS needs to be disabled on a specific domain.
So a better question is to Kerio. Are you all working on this new demand in email Regulation? Please update us on this new emerging standard please and thanks.
Please let us know.
Regards, James
|
|
|
|
| Re: Forced Required TLS [message #127304 is a reply to message #88730] |
Wed, 20 January 2016 15:41 |
Keerl IT Services GmbH
Messages: 3
Registered: January 2016
Location: Hamburg, Germany
|
|
|
|
Hi,
so far I have not been able to find a clear answer to this:
Is Kerio Connect capable of forcing TLS for mail traffic between "internal" and certain (!) external domains.
This is something which seems to be needed more and more: Customers and their suppliers requiring forced TLS between them. If TLS fails (for whatever reason) no e-mails shall be sent.
Cheers
JK
|
|
|
|
|
|
| Re: Forced Required TLS [message #131437 is a reply to message #88664] |
Thu, 18 August 2016 00:42 |
zistrol
Messages: 2
Registered: March 2016
|
|
|
|
Is there any update on this?
I have been getting requests from our bank - you know - better yet here is their requirement:
The process of getting TLS setup starts with the Boundary Encryption form. I will briefly explain the form. Section 1 contains information about <our bank>. That is, our contact information and, most importantly, our list of 110 domains which we require all our TLS business partners to add to their TLS configurations. Sections 2, 3 and 4 are the ones that need to be completed. This is typically done by someone on your Messaging/TLS/IT team.
Looking through the TLS page on the Kerio support site, I don't see how this is accomplished - though this is my first run in with this level of TLS compliance. I just turned it on, ran the checker at ssllabs.com, got my passing A and have been a happy Kerio user since.
P.S. Looks like they are using MessageLabs
|
|
|
|
| Re: Forced Required TLS [message #131439 is a reply to message #131437] |
Thu, 18 August 2016 02:55 |
j.a.duke
Messages: 239
Registered: October 2006
|
|
|
|
I'm seeing the same request from a bank for whom we do work.
I'm setting up Postfix in a Forced TLS mode through which to relay all mail to them. It will receive on a non-standard port on the same box only those messages destined for their list of domains then send out messages only over a TLS connection. No TLS, no mail relay for those domains.
Unfortunately, I haven't found a way to do this internal to Connect.
Cheers,
Jon
|
|
|
|
| Re: Forced Required TLS [message #131442 is a reply to message #88664] |
Thu, 18 August 2016 10:06 |
freakinvibe
Messages: 588
Registered: April 2004
|
|
|
|
In Kerio Connect, under "SMTP Delivery", you can enable
"Use SSL/TLS if supported by remote SMTP server"
but this only enables "opportunistic" TLS. You cannot force TLS currently.
As more and more banking clients ask for this and make it mandatory, you have to use a mail relay that can do that.
Dexion Services AG - IT Support Services in Basel, Switzerland
https://dexionag.ch
|
|
|
|
Members
Search
Help
Register
Login
Home
