Mail Security: Send Direction, require TLS Domain based in addition to Host, mx can change!
Mail Security: Sending Direction, require TLS, Domain based in addition to Host, mx Records can change! Many Automotive Companies require this like VW, Audi...
Ferit Sari Tomé commented
We are currently facing exactly the same problem, we are bound by contract to force TLS between certain DOMAINS and not hosts, since MX records can change!
We are about to change from symantec messaging gateway to a utm9 based solution, and the lack of this feature is a showstopper for us.
Does anybody know if there is a workaround to achieve TLS being mandatory for outgoing mails for certain domains instead of hosts/nets?
Thanks a ton in advance!
Martin Lindemann commented
Hostbased is nice to have, domain based in outgoing smtp is NEED TO HAVE ;)
Wolfgang Ferlitz commented
We also have the requirement to use TLS encryption for certain receiver domains. Additionally it would be ideal to allow a differentiated setting regarding the tls version.
Stefan H commented
Can support this feature. Outgoing TLS to specific domains is a needed feature. Also already built in at competitor products. Alltrough, incoming domain sepecifica are already there, so just change a few lines in the exim.conf file to support this, nothing great developement needed.
Conny Hell commented
I am new to Sophos and it is inexplicable to me, why required outgoing tls is by host. As you say - mx can change without notice and you fall back to plain text. This is a security issue!
For the moment we added 5 lines to exim.conf to achieve the outbound tls requirements (so no support on this from sophos instead of a solution). EVERYBODY NEEDS THE REQUIRED TLS IN BOTH DIRECTIONS!
Shane Kolp commented
I firmly agree with this recommendation. Host based configurations are not guaranteed to remain constant and could change without the administrators knowledge, which may result in mail being transmitted in clear text if the new third-party mail system is not properly configured for TLS. From my perspective, "security made simple" means using the dynamic variable of domain name which allows the remote, third-party entity to update their network configuration as they see fit without requiring any modification to the existing, local UTM configuration.
Alexander Bergdolt commented
I would call it "requite TLS negotiation recipient domains", so it would fit to the existing options.
Im my eyes the most important part. With this feature I could easily ensure transport encryption for a certain domain. As Ralf already noted, hosts/nets are not useful because MX records may change.