Home > Confidentiality, GnuPG, Integrity, RHEL 7, S/MIME > Securing email to Gmail

Securing email to Gmail


I’ve been working on securing my postfix configuration to enforce certificate validation and encryption on some known, higher-volume, or more sensitive connections between SMTP servers (port 25).

On many of the connections I’ve setup for secure transport there have been no problems (assuming proper TLS certificates are used).  Unfortunately Gmail™ has been a problem.  Sometimes it verifies and validates the certificate and other times it doesn’t… for days.

After conferring with Google Security I believe I’ve come up with a solution.  In my tls_policy file I’ve added the following:

gmail.com       secure match=.google.com:google.com ciphers=high protocols=TLSv1.2

So far this is working but I’ll continue to test.

If you run your own SMTP server and wish to maintain a secure connection with Gmail this is an easy way to enforce encryption as well as validate the certificate.  Of course this doesn’t protect the message while it’s being stored on the server or workstation (or on Google’s internal network).  To protect messages at rest (on a server) one should use GPG or S/MIME.  Using both TLS over the network between servers and GPG or S/MIME is beneficial to provide protection of the messages going over the Internet.

Update

This configuration is applicable with the OpenSSL version shipped with CentOS 6/RHEL 6.  Implementing this on CentOS 7/RHEL7 or another flavor of Linux may require a different/better configuration.
The policy has been updated for CentOS 7/RHEL 7 which supports TLSv1.2 on Postfix.  Other services can also be setup similarly:

google.com    secure ciphers=high protocols=TLSv1.2
comcast.net    secure ciphers=high protocols=TLSv1.2
verizon.net    secure ciphers=high protocols=TLSv1.2
hotmail.com    secure ciphers=high protocols=TLSv1.2
Advertisements
  1. 2015-12-30 at 14:46 EDT

    Does protocols=TLSv1 mean downgrade to TLS v1.0, or is it just some vestige of the times where there was just one version of TLS, and in reality it enables all of them?

    • 2015-12-30 at 15:00 EDT

      This is on CentOS 6 so postfix (openssl?) doesn’t understand TLSv1.x. I am getting a TLSv1.2 connection with Google nonetheless:

      Verified TLS connection established to gmail-smtp-in.l.google.com[2607:f8b0:400d:c06::1b]:25: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)

      I suspect my planned upgrade to CentOS 7 will allow me to harden this further.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s