Outbound TLS

March 26, 2020

A recent initiative among the large ISPs and receiving domains is to use Transport Layer Security protocol (TLS) by default for mail traffic. TLS is a standard for providing cryptographic protection of communication sessions between two systems. It is derived from the earlier standard, Secure Sockets Layer (SSL) and is the replacement for SSL. – They are not the same.

Momentum supports enforced TLS and opportunistic TLS. When TLS is enforced, Momentum will deliver messages only if TLS is successfully negotiated. Opportunistic TLS enables Momentum to deliver messages over TLS if the remote host advertises TLS support and the TLS negotiation succeeds but also provides an option to send the message as plain-text if the TLS negotiation fails.

Configuration

Outbound TLS is configured using options in the ecelerity.conf file. You may configure Momentum to use TLS in the global, domain, binding, or binding_group scope when delivering mail. Momentum 4 supports the OpenSSL and GNUTLS libraries.

**Configuration Change. ** Support for GNUTLS is available as of version 4.1 for SMTP reception and SMTP deliveries only. Support for opportunistic TLS is available as of version 4.1.

By default, TLS is disabled. To use TLS, you must change the TLS option in the ecelerity.conf file and configure the following TLS-related options:

Note

If you enable TLS, see “Security Considerations” for information on how to fix the POODLE vulnerability using either the tls_protocols option (for OpenSSL) or the tls_ciphers option (for GNUTLS).

The following is an example configuration in the ecelerity.conf file:

# TLS settings for customer-1
binding "customer-1" {
  tls_key = "/path/to/customer1.key"
  tls_certificate = "/path/to/customer2.cert"

  domain "trusted.partner.example.com" {
    tls = "required"
    tls_ca = "/path/to/customer1/partners.cabundle"
  }
}

Logging Macros

A number of macros are available to enable logging of details about the TLS session used for a delivery attempt. To use these macros, you must load the tls_macros module. See “tls_macros – TLS-related Logging”.