Mailinglist Archive: opensuse-security (409 mails)

< Previous Next >
RE: [suse-security] Encrypt E-Mails without human-agreement
  • From: "Reckhard, Tobias" <tobias.reckhard@xxxxxxxxxxx>
  • Date: Mon, 19 Aug 2002 07:49:59 +0200
  • Message-id: <96C102324EF9D411A49500306E06C8D1019894CD@xxxxxxxxxxxxxxxxx>
> > This is called Transport Layer Security (TLS) because it
> only encrypts the
> > direct connection from one MTA to the next. Every MTA on
> the route is able
> > to read the mail since it processes mails above the
> transportlayer. Privacy
> > can only be guaranteed if there is a direct connection
> between sending and
> > recieving MTA (and both ca nbe trusted). This is not true for SMTP.
>
> Presumably they are free to configure the MTAs at either end not to
> use the "smart host" relay feature. In this case all connections
> are direct and there are no intermediate MTAs.
> Is this not correct?

Not entirely. Just because you're delivering email directly to the host that
is published as the domain's mail exchanger(s) in the DNS, that doesn't mean
that it's the final destination or that email won't travel on from there.
That host may well send the messages on to someplace else. And if the
primary MX is down, mail is typically buffered on the hosts with lower
priority MX records until the primary MX comes back up again, in which case
they send it all the buffered mail. All these are examples where TLS between
you and an MX of a domain result in cleartext transmission of email further
along the delivery chain.

Michel is correct, for true confidentiality you need to encrypt on the
application level.

Cheers
Tobias

< Previous Next >