0

MailChannels Dedicated and TLS

We provide hosting to (currently) 324 colocated servers. Our networking would support port 25 policy based routing. I'm interested in using MailChannels Dedicated, to block the spam and deliver the email from the original source IPs. I don't understand how that would work with TLS deliveries though. Is STARTTLS supported using MailChannels Dedicated (whilst preserving the source IP)? Is it using the TLS certificate installed on MailChannels Dedicated, or does it somehow pass on the certificate from the unmanaged server?

If TLS is not supported using MailChannels Dedicated in a transparent setup, would your Cloud solution deliver the email using TLS?

3 comments

Date Votes

Official comment

Avatar
Desmond Liao
Hi Antoine, see answers below:
 
Is STARTTLS supported using MailChannels Dedicated (whilst preserving the source IP)? Is it using the TLS certificate installed on MailChannels Dedicated, or does it somehow pass on the certificate from the unmanaged server?
 
Yes, TLS is supported. We provide three options:
 
1. Filter out STARTTLS advertisement, preventing clients from using TLS whatsoever. This approach has the advantage of being simple, but the disadvantage of exposing client data on the open Internet.
 
2. Providing a local certificate on the MailChannels Dedicated machine, and intercepting TLS sessions, offering that intermediate certificate to clients. Then re-encrypting to the destination using the destination certificate. This approach has the advantage of providing maximum privacy of traffic on the Internet, and the disadvantage of potentially breaking some clients that insist on a perfect match between the certificate and the destination domain.
 
3. Passing TLS traffic through uninspected. This approach is the simplest and the most compliant with the protocol. However it is also somewhat self defeating because the encrypted traffic is not inspected for spam or malware.
 
If TLS is not supported using MailChannels Dedicated in a transparent setup, would your Cloud solution deliver the email using TLS?
 
TLS is supported by MailChannels Dedicated. However, if you want to use MailChannels Cloud, you should know that it uses TLS opportunistically, enforcing TLS security whenever servers advertise that they support the protocol.
 
TLS, it should be noted, is not a guarantee of end to end security. It is possible and easy to man-in-the-middle a TLS session, or to transparently disable the protocol, enabling inspection of traffic. Users who need perfect end to end privacy should encrypt messages using S/MIME or PGP.
 
--
 
If you need more information or would like to schedule a demo, feel free to contact us.
 
Best,
Desmond
0
Avatar
Antoine

Hello Desmond,

Thanks for the elaborate response. So option 2 would seem ideal, that's quite amazing! Would my network require anything special for that to work? Does it scale just as well as option 1 or 3 (whilst preserving the source IP)?

I notice a few references on your website using your Dedicated product, is such "TLS intermediate" setup live for any of the clients listed? It would seem quite complicated actually, so it would be great if I can reach out to ensure there are no unexpected issues in a live environment before continuing with this.

Greetz,

Antoine

0
Avatar
Desmond Liao

Hi Antoine,

Yes, option 2 scales just as well. We have clients do all sorts of things with TLS. Our software is based on NGINX, and you know the reputation NGINX has for ultra scalability.

Yes, the scenario we describe has been implemented in production. It works. It's really not that complicated once you see the software in action.

Feel free to reach out to me directly at desmond@mailchannels.com.

Cheers,
Desmond

Please sign in to leave a comment.