Skip to main content

Use required TLS for inbound and outbound traffic

Inbound

You can enable required Transport Layer Security (TLS) for inbound connections by checking if the $connection["tls"] value is set in your AUTH, MAIL FROM or RCPT TO context. To enable it between two domains we will have to use the RCPT TO context and add the check at the top of the context.

RCPT TO context
if ($transaction["senderaddress"]["domain"] == "example.org" and $arguments["address"]["domain"] == "halon.io" and !isset($connection["tls"]))
Defer("STARTTLS is required");

Outbound

To enable required TLS for outbound connections you will need to use your Pre-delivery context. In this example we only enable required TLS when a mail is sent between two domains. We will verify the certificate towards different common names (CN) and Subject Alternative Name (SAN) by using tls_verify_name. This option can take multiple values (in case of multiple MX).

Pre-delivery context
$options = [];
if ($message["senderaddress"]["domain"] == "halon.io" and $message["recipientaddress"]["domain"] == "example.org") {
$options += [
"tls" => "require_verify",
"tls_default_ca" => true,
"tls_verify_name" => [".example.net"]
];
}
Try($options);

This protects against

  • Eavesdropping
  • Man-in-the-middle
  • TLS downgrading

For more information on how to use Try and if you need to use different protocols or ciphers please visit our documentation page for Try.

Advanced

As this technique may seem cumbersome, there are upcoming technologies to automatically configure TLS trust between domains, such as MTA-STS and DANE, but they both require the receiving end (recipient domain) to add support for these, however if they do Halon has support for both of them.