9
Report for TLS Connections
Idea shared by Michael Price - 3/26/2021 at 8:28 AM
Under Consideration
One of the hidden metrics of email security is the percentage of connections where TLS is successfully negotiated with certificates that haven't expired.

I'd like to see number of connections that are secured with TLS vs number of insecure connections in the Security dashboard report.  Also be nice to see those numbers in the SMTP In/Out reports.

Thoughts?

5 Replies

Reply to Thread
0
Yes, thE TLS information is missing from the SMTP log file, even when logging is set to Detailed.

For inbound traffic, I run Declude with LogLevel=Debug.   This causes all of the Received header records from a message to be included in the log file.   I parse the logs into a SQL database and then filter for the Received entries which include "BY <myservername>".    This allows me to identify senders by encryption status, encryption version, and ciphersuite.    Certficate verification is a client issue, so it is unknowable for incoming connections.

For Outgoing messages, it gets trickier .   You would still need Declude to capture the TLS information.   But you would also need the SmarterMail SMTP log (probably Detailed setting).   The SmarterMail log will have an entry for any certificate which does not verify.

Of course, a purpose-built solution is preferable to text parsing.
   

6
SmarterTools - just saw your email last night about using TLS 1.2 for SmarterMail.  It would be SUPER helpful to have a report of the number of TLS connections being made to and from SmarterMail so we can track protocol support in our environments.  Right now there's NO WAY to see what's being used outside of going thru tedious logs to ascertain what SM is doing one connection at a time.

0
Kyle Kerst Replied
Employee Post
Thanks for your suggestions on this. I'd be happy to get a feature request submitted on this requesting a report detailing those areas. Please stand by and I'll follow up with you there shortly. Have a good one!
Kyle Kerst
System/Network Administrator
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Kyle Kerst Replied
Employee Post
Just as a quick follow up on this. I was able to submit a feature request to our product management team for further review. In the meantime, I don't know that these details are available to us at the SmarterMail level due to this occurring in the network side of things, so can't guarantee this is something we can implement unfortunately. Please keep an eye on release notes for updates on this front. Have a good one!
Kyle Kerst
System/Network Administrator
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
True, the exact protocol used probably won't be available, but whether or not TLS was used at all, or if the negotiation caused some sort of error, that info should be available.

The biggest thing is whether or not TLS is used / ignored / errors out per connection or per domain - since I guess some domains are bound to different IPs so they may have different certificates and TLS settings.

BTW, this is a GREAT tool to check TLS versions.  However, having the above report would still be needed.
https://ssl-tools.net/mails            (outgoing)

Reply to Thread