Project: How To Connect Multiple Email Domains via TLS
Given Sample
- 3 dedicated Email domains by 3 companies, each on its own LAN secured by firewalls
- Each company uses its own Server certs
- Company A (domainA.tld) uses CAcert server certs
- Company B (domainB.tld) uses Verisign server certs
Company C (domainC.tld) uses GeoTrust server certs
using 3 different CA's in example for 3 different companies is only to show that there is no requirement to use all the same CA but using all the same CA simplifies the rollout
Objectives
- connect 3 foreign individual companies with a minimal agreement to transport B2B email securely via TLS over the internet
- configure the internet gateways to enable TLS
- configure the internet gateways to support TLS connection for specific target email domains
Pros:
- Companies requires to configure their internet gateways only (in a first step to transfer their business emails securely from one company to another over the internet)
- In a later project step Client Certs usage can be rolled out
- Not all users in all connected companies requires to have a client cert
- User education using client certs is not a requirement in starting securing B2B communication (but may be at a later project step)
Cons:
- Email admins configuring the companies internet gateways have to work together
- Using client certs of a CA that isn't included in the major browsers/OS'ses/applications requires an administrative software/policy rollout of the roots in the companies intranet that probably requires rewriting of company policies
Configure Internet Gateways for using TLS connectivity
- Internet Gateways configuration
- Company A (domainA.tld)
- create and configure own server cert gatewayA.domainA.tld
- dedicated routing to domainB.tld, domainC.tld
- enable TLS connection for dedicated routings
- make Roots- and Intermediate Certificates known to Internetgateway server of Company A
- CAcert root/subroot
- Verisign root/subroot
GeoTrust root/subroot
- Company B (domainB.tld)
- create and configure own server cert gatewayB.domainB.tld
- dedicated routing to domainA.tld, domainC.tld
- enable TLS connection for dedicated routings
- make Roots- and Intermediate Certificates known to Internetgateway server of Company B
- CAcert root/subroot
- Verisign root/subroot
GeoTrust root/subroot
- Company C (domainC.tld)
- create and configure own server cert gatewayC.domainC.tld
- dedicated routing to domainA.tld, domainB.tld
- enable TLS connection for dedicated routings
- make Roots- and Intermediate Certificates known to Internetgateway server of Company C
- CAcert root/subroot
- Verisign root/subroot
GeoTrust root/subroot
- Company A (domainA.tld)
- Then each connection from DomainA goes via TLS to DomainB and via TLS to DomainC,
- each connection from DomainB goes via TLS to DomainA and via TLS to DomainC and
- each connection from DomainC goes via TLS to DomainA and via TLS to DomainB
- Default SMTPS port: 465
- Configure each SMTP connector on all internet gateways to support port 25 (non-secure channel) and port 465 for TLS channel
- Sample for one connector (domainA.tld) (postfix):
- main.cf file:
transport_maps = hash:/etc/postfix/transport smtp_tls_security_level = may smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
- tls_policy:
domainB.tld may .domainB.tld may domainC.tld may .domainB.tld may
- transport file:
# add specific relayhosts for specific domains # Specifies specific domains for local delivery domainA.tld : # Specify all subdomains for local delivery .domainA.tld : // route-to DomainB.tld, DomainC.tld using TLS domainB.tld :[gatewayB.domainB.tld]:465 .domainB.tld :[gatewayB.domainB.tld]:465 domainC.tld :[gatewayC.domainC.tld]:465 .domainC.tld :[gatewayC.domainC.tld]:465More sample configurations: How to setup Relay host in mail server
More info on TLS with postfix Using TLS for mail delivery from postfix to another TLS activated mail server
- Exchange Server: configure routing group connectors
- main.cf file: