thanks, it's a very in-depth explanation of email security. just t clear my doubts. Even if I have STARtTLS enabled and want to send an email and if the recipient's email server does not support TLS or does not have a public certificate on their gateway, that means the email will still be sent in clear text as it defaults to (opportunistic encryption). Unless the recipient uses DANE or MTA-STS.
1)When you state "server A needs a certificate", do you mean: "server A needs to receive a certificate with the public key of server B" or do you mean "server A needs to make a Private/public keypair where it puts his public key in a certificate file that finally be signed by a CA"? 2) another confusion: you sate that on the sending MTA when STARTTLS is configured, that it's the sending MTA (which you call now the SMTP client) that asks the receiving MTA for acceptance of setting up a TLS tunnel? As I tought it was the receiving MTA that decides that TLS is required to talk to it, and so that the receiving MTA finally decides on destination port and∕or TLS? This in a way that if the sending MTA (smtp client) does not comply with, the receiving MTA can decide to block incoming communication. Maybe in both perceptions it's the same... Can rephrase STARTTLS as follows? --> the sending MTA asks the receiving MTA "Do you require TLS? Do you require another port? And if yes, I'd be happy to oblige (with a valid certificate)" If STARTTLS on the sending MTA is NOT enabled, the question will never be raised and so if the receiving MTA demands TLS and optionally port number change, communication will not go trough. So it's the destination / receiving MTA that 'finally calls the shots' on whats required or not. This a correct understanding? 3) Side question: I thought that if TLS was set up between MTA 's, by default the destination port (decided by the receiving 'listening' MTA) would swap to 587. Isn't that common ?
thanks, it's a very in-depth explanation of email security. just t clear my doubts. Even if I have STARtTLS enabled and want to send an email and if the recipient's email server does not support TLS or does not have a public certificate on their gateway, that means the email will still be sent in clear text as it defaults to (opportunistic encryption). Unless the recipient uses DANE or MTA-STS.
Yes. Thanks for the tip. Using DANE and/or MTA-STS definitely makes SMTP communication more secure.
1)When you state "server A needs a certificate", do you mean: "server A needs to receive a certificate with the public key of server B" or do you mean "server A needs to make a Private/public keypair where it puts his public key in a certificate file that finally be signed by a CA"?
2) another confusion: you sate that on the sending MTA when STARTTLS is configured, that it's the sending MTA (which you call now the SMTP client) that asks the receiving MTA for acceptance of setting up a TLS tunnel? As I tought it was the receiving MTA that decides that TLS is required to talk to it, and so that the receiving MTA finally decides on destination port and∕or TLS? This in a way that if the sending MTA (smtp client) does not comply with, the receiving MTA can decide to block incoming communication.
Maybe in both perceptions it's the same...
Can rephrase STARTTLS as follows? --> the sending MTA asks the receiving MTA "Do you require TLS? Do you require another port? And if yes, I'd be happy to oblige (with a valid certificate)"
If STARTTLS on the sending MTA is NOT enabled, the question will never be raised and so if the receiving MTA demands TLS and optionally port number change, communication will not go trough.
So it's the destination / receiving MTA that 'finally calls the shots' on whats required or not. This a correct understanding?
3) Side question: I thought that if TLS was set up between MTA 's, by default the destination port (decided by the receiving 'listening' MTA) would swap to 587. Isn't that common ?
if we use SMTPs, do we still need SPF and DKIM?
or SPF and DKIM won't matter anymore?
Adding transport level encryption to SMTP does not prevent forgery. Therefore, you will still need SPF and DKIM even if you use SMTPs.