Skip to Main Content
HCL Domino Ideas Portal

Welcome to the #dominoforever Product Ideas Forum! The place where you can submit product ideas and enhancement request. We encourage you to participate by voting on, commenting on, and creating new ideas. All new ideas will be evaluated by HCL Product Management & Engineering teams, and the next steps will be communicated. While not all submitted ideas will be executed upon, community feedback will play a key role in influencing which ideas are and when they will be implemented.

For more information and upcoming events around #dominoforever, please visit our Destination Domino Page

107 VOTE
Status Assessment
Workspace Domino
Categories Security
Created by Guest
Created on Jul 31, 2018

Enforce TLS

If your organization is required to use TLS for email sent to recipients in specific domains, you can configure outbound email to ensure that TLS (Transport Layer Security) is used for those domains. Enforced TLS forces a secure connection between both the sending and receiving domains. If a secure connection cannot be established, the mail is not sent.

 

like https://www.ibm.com/support/knowledgecenter/en/SSPS94/hybrid/topics/cfg_using_enforced_tls_t.html

  • Attach files
  • Guest
    Reply
    |
    Dec 5, 2018

    Yes, please make it possible to enforce TLS for specific domains only. Additional option on the Foreign smtp document? 

  • Guest
    Reply
    |
    Sep 26, 2018

    If I understand my customer regarding the requirements by law or regulatory (GDPR), it could be a 1st step to have an indicator that documented that a mail send with "TLS". A customer must prove that TLS (Transport Layer Security) is used for their domains.

  • Guest
    Reply
    |
    Aug 7, 2018

    RouterFallbackNonTLS=1 Is the solution?

  • Guest
    Reply
    |
    Aug 7, 2018

     I agree with "Guest commented August 6, 2018 13:52". On the one side there are requirements by law or regulatory (e.g. GDPR) to enforce TLS encryption to specific domains. On the other side several other domains are not using TLS in any way (in our environment 1/4 of external sent mail is without TLS/SSL).

    We need a way to force TLS for some domains and leave it as opportunistic for the rest of the world.

  • Guest
    Reply
    |
    Aug 6, 2018

    Hello Thomas, what I believe is meant here - at least this understanding of the idea is the reason, why I support it: Yes, when TLS negotiation is enabled, the server should be using the strongest security available. But what if I what to make absolutely sure? I'd have to enforce TLS. When I do that, I would forbid any emailing to or from servers which may be to old or poorly maintained for example private servers of customers (eg bank to customer). I would possibly loose business.

    On the other hand, I might have some partners/customers etc., I could talk to in case TLS fails for some reason while sending or receiving mails.

    I would like to:

    Negotiate TLS for all senders and addressees, I do not know well and

    Enforce TLS for all senders and addressees, I can coordinate with to enhance security.

    Domino does not give this option. Why not make it possible to set such an option in the documents for "Foreign SMTP domain"?

  • Admin
    Thomas Hampel
    Reply
    |
    Aug 6, 2018

    By default a new server should be using the latest / strongest security settings.

  • Guest
    Reply
    |
    Aug 2, 2018

    I think you mean that you wanted to specify the recipient domain ? How is the recipient classified on that banking requirement, all email sent between banking institution / all email sent to customer ?

    I hope it does not simply say all email correspondence going out of the company must be in TLS ?

  • Guest
    Reply
    |
    Aug 2, 2018

    I can confirm the request. I have also met to either email via TLS or nothing.

  • Guest
    Reply
    |
    Aug 1, 2018

    This is, what can be done today. But there are requirements in the banking sector saying, "TLS, and nothing but TLS". If TLS is not possible, then e-mal will not be delivered. 
    The feature should allow to specify the sending domains , of course

  • Guest
    Reply
    |
    Jul 31, 2018

    I personally would rather have it downgrade gracefully if the other side somehow does not use TLS. Please bear in mind that as a company we simply cannot force the party that we correspond with to adhere to our standard.

1 MERGED

MTA-STS support

Merged
Hello, SMTP MTA Strict Transport Security (MTA-STS) is a mechanism enabling mail service providers (SPs) to declare their ability to receive Transport Layer Security (TLS) secure SMTP connections and to specify whether sending SMTP servers should ...
2 months ago in Domino / Security 0 Assessment