Use required TLS for inbound and outbound traffic
Inbound
You can enable required Transport Layer Security (TLS) for inbound connections by checking if the $connection["tls"] value is set in your AUTH, MAIL FROM or RCPT TO context. To enable it between two domains we will have to use the RCPT TO context and add the check at the top of the context.
if ($transaction["senderaddress"]["domain"] == "example.org" and $arguments["address"]["domain"] == "halon.io" and !isset($connection["tls"]))
Defer("STARTTLS is required");
Outbound
To enable required TLS for outbound connections you will need to use your Pre-delivery context. In this example we only enable required TLS when a mail is sent between two domains. We will verify the certificate towards different common names (CN) and Subject Alternative Name (SAN) by using tls_verify_name. This option can take multiple values (in case of multiple MX).
$options = [];
if ($message["senderaddress"]["domain"] == "halon.io" and $message["recipientaddress"]["domain"] == "example.org") {
$options += [
"tls" => "require_verify",
"tls_default_ca" => true,
"tls_verify_name" => [".example.net"]
];
}
Try($options);
This protects against
- Eavesdropping
- Man-in-the-middle
- TLS downgrading
For more information on how to use Try and if you need to use different protocols or ciphers please visit our documentation page for Try.
Advanced
As this technique may seem cumbersome, there are upcoming technologies to automatically configure TLS trust between domains, such as MTA-STS and DANE, but they both require the receiving end (recipient domain) to add support for these, however if they do Halon has support for both of them.