I'm really lost with this request I'm getting from another IT department about setting up "forced TLS" with a vendor my HR team works with. We already use forced TLS in our email environment, which means our system requires TLS connections to send emails. If the recipient's email server can't support TLS, we simply block the message to keep it secure, unlike opportunistic TLS that defaults to less secure methods. I've also got a system in place that recognizes sensitive data like SSNs and credit card numbers, encrypting them so recipients have to log into a secure portal to view their messages. The vendor's IT department insists that we need to configure a connector for forced TLS every time we work with a new partner, which makes me question whether I truly understand what forced TLS means or if they do!
5 Answers
They might be referring to the necessity of using validated certificates for TLS on their end. The difference being you accept any certificates matching the sender’s claims, while they’re stricter in that sense. If they still ask, just explain your current setup is already forced TLS across the board.
This is typical for financial institutions. Even with forced TLS outbound, you need to add their specific domain to your forced outbound settings to prevent downgrade attacks. You'll also want to create rules that require TLS for any emails coming in from their domain. They should be doing the same on their side. Once you handle this for one domain, future setups become much easier! Here's a detailed guide on how to configure connectors in different email systems if you need it.
I get that, but what’s the point if our system already blocks messages to servers without TLS? If we set this connector, how does it improve security?
The systems you use sound like they enforce TLS pretty well. But surprisingly, many organizations don’t! It's probably just a standard request from the vendor to cover their bases. If you can create custom connectors that require TLS and trusted certificates, you could set one up and provide screenshots to satisfy their requirements.
True! It'll really help if you can show proof that your system is secure.
To clarify your setup, you could test your email with a service like [CheckTLS](https://www.checktls.com/TestReceiver). It shows whether you’re forcing TLS or just using it opportunistically. My own tests revealed that I use TLS, but I don't strictly enforce it, which might be what's happening there!
I ran the test too, and it confirmed that they can't send without TLS. Might be a good idea to show that.
If your setup already uses forced TLS for all domains, just explain that to them! Are they looking for proof? If they keep insisting you set it up, just reiterate that it’s already done and ask them to clarify what they mean by forced TLS. It’s getting really confusing!
I'm in a similar spot! They just keep stating the need for forced TLS without acknowledging what I’ve already set up.
Running into the same misunderstanding with my vendors, too. Maybe a call could clear up the confusion!
I've dealt with forced TLS mainly for banks, but compliance seems to be the goal more than true security. If they want you to prove it, sharing your configuration might help.