Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Forced Required TLS (Archive Email Email Servers: New TLS Encryption Requirement )
  •  
bishopsmate

Messages: 3
Karma: 1
Send a private message to this user
I just got the following compliance form from a client. Can Connect be forced to Archive to the affiliates email server using TLS or as they put it Forced? Apparently they have an Exchange server that they do this on. Any help would be appreciated
Associates: With a Clients Email Server,

Please be advised that, effective September 30, 2011, all approved outside DBA (Doing Business As) email servers will be required to establish Domain Specific Mutual TLS (Transport Layer Security) Encryption between the server and Archive email system.

Mutual TLS Encryption will help ensure that personally identifiable information (PII) transferred via email between your DBA email system and Archive server (including emails that are systematically journaled to our Archive for SEC17a-4 compliance) is properly protected. Please note that Mutual TLS encryption will not encrypt emails to clients, vendors, or other outside email addresses.


Thanks

[Updated on: Mon, 23 April 2012 18:28]

  •  
TorW

Messages: 769
Karma: 9
Send a private message to this user
If I understood this correctly and you haven't left anything out, they require the sender to be able to TLS-encrypt their transmission when archiving. Kerio Connect does this as long as you have a certificate installed on the server.
  •  
bishopsmate

Messages: 3
Karma: 1
Send a private message to this user
What they want is that a protected mode of forcing tls on the collecting domain exchange server. If there were to be some malfunction in the receiving exchange server no email would be sent to that domain in an unencrypted format.

So in opportunistic mode usually a encryption email is sent and if it does not accept it reverts automatically to unencrypted.

This is a security mechanism that Exchange server had built in by adding the forced tls mode only.

Thanks
  •  
bishopsmate

Messages: 3
Karma: 1
Send a private message to this user
Ok now that I have some days of research. I have found that Domain forced TLS is coming from the majority of our Financial industry clients.

This feature is demanded by Regulation as stated above in my first post. This could kill our business with Kerio if this feature is not added to Kerio Connect.

What we need to be able to do is force a tls session to a specific domain. Apparently there is a need from compliance to bounce the archive email delivered to the archiving Exchange server(Does support Force TLS), in our case if the tls session is detected it would send otherwise no fallback would be used and the email would be bounced.
There is in some cases system failures for whatever reason and email should not be sent in the case of failure for compliance. So opportunistic TLS needs to be disabled on a specific domain.

So a better question is to Kerio. Are you all working on this new demand in email Regulation? Please update us on this new emerging standard please and thanks.

Please let us know.

Regards, James
  •  
Keerl IT Services GmbH

Messages: 2
Karma: 0
Send a private message to this user
Hi,

so far I have not been able to find a clear answer to this:

Is Kerio Connect capable of forcing TLS for mail traffic between "internal" and certain (!) external domains.

This is something which seems to be needed more and more: Customers and their suppliers requiring forced TLS between them. If TLS fails (for whatever reason) no e-mails shall be sent.

Cheers
JK
  •  
Pavel Dobry (Kerio)

Messages: 5144
Karma: 241
Send a private message to this user
Keerl IT Services GmbH wrote on Wed, 20 January 2016 15:41
Hi,

so far I have not been able to find a clear answer to this:

Is Kerio Connect capable of forcing TLS for mail traffic between "internal" and certain (!) external domains.

This is something which seems to be needed more and more: Customers and their suppliers requiring forced TLS between them. If TLS fails (for whatever reason) no e-mails shall be sent.

Cheers
JK


TLS is used when possible, if TLS cannot be established then the email is delivered via SMTP with no SSL or TLS.
However, forcing TLS (and forcing trusted, valid certificates!) is a good suggestion. For further suggestions please use "Suggest idea" button in product administration.

Knowledge Base: http://kb.kerio.com/.
Technical support: http://www.kerio.com/support
------------------
Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
  •  
zistrol

Messages: 2
Karma: 0
Send a private message to this user
Is there any update on this?

I have been getting requests from our bank - you know - better yet here is their requirement:

The process of getting TLS setup starts with the Boundary Encryption form. I will briefly explain the form. Section 1 contains information about <our bank>. That is, our contact information and, most importantly, our list of 110 domains which we require all our TLS business partners to add to their TLS configurations. Sections 2, 3 and 4 are the ones that need to be completed. This is typically done by someone on your Messaging/TLS/IT team.

Looking through the TLS page on the Kerio support site, I don't see how this is accomplished - though this is my first run in with this level of TLS compliance. I just turned it on, ran the checker at ssllabs.com, got my passing A and have been a happy Kerio user since.

P.S. Looks like they are using MessageLabs
  •  
j.a.duke

Messages: 336
Karma: 10
Send a private message to this user
I'm seeing the same request from a bank for whom we do work.

I'm setting up Postfix in a Forced TLS mode through which to relay all mail to them. It will receive on a non-standard port on the same box only those messages destined for their list of domains then send out messages only over a TLS connection. No TLS, no mail relay for those domains.

Unfortunately, I haven't found a way to do this internal to Connect.

Cheers,
Jon
  •  
freakinvibe

Messages: 1467
Karma: 54
Send a private message to this user
In Kerio Connect, under "SMTP Delivery", you can enable

"Use SSL/TLS if supported by remote SMTP server"

but this only enables "opportunistic" TLS. You cannot force TLS currently.

As more and more banking clients ask for this and make it mandatory, you have to use a mail relay that can do that.

Dexion AG - The Blackberry Specialists in Switzerland
http://www.dexionag.ch
Previous Topic: Huge CPU use after Update to 9.1.1
Next Topic: Internal emails marked as SPAM??
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Thu Dec 08 08:47:17 CET 2016

Total time taken to generate the page: 0.08051 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.