E-Mail encryption is not enabled
What has been found
E-Mail encryption STARTTLS is not enabled.
SMTP StartTLS is a technology that encrypts the communications between email servers as email is delivered. If this is not enabled it increases the risk of your mail being read as it passes between email providers.
Why this is a potential risk
SMTP StartTLS is a technology that encrypts the communications between email servers as email is delivered. If this is not enabled it increases the risk of your mail being read as it passes between email providers.
Attackers can exploit this weakness to read, alter, or spoof email messages in transit. Lack of encryption also undermines compliance with modern security standards and can expose sensitive or confidential data. Email systems that do not enforce encryption increase the organisation’s exposure to data leakage, reputational harm, and regulatory non-compliance.
Potential solutions/Improvements
-
Enable STARTTLS: Configure the mail server to support SMTP STARTTLS with a valid and trusted TLS certificate.
-
Use modern ciphers: Disable outdated or weak cryptographic protocols and ensure only TLS 1.2 or higher is permitted.
-
Implement MTA-STS: Publish an MTA-STS policy to enforce secure transport between mail servers and prevent downgrade attacks.
-
Enforce certificate validation: Ensure strict validation of TLS certificates to prevent man-in-the-middle interception.
-
Monitor TLS usage: Regularly audit email transmission logs to confirm encryption is consistently applied.
How to verify it is resolved:
- Test the mail server with an online tool such as checktls or mxtoolbox
-
Confirm STARTTLS support by checking SMTP headers or using
openssl s_client -starttls smtp -connect mail.domain.com:25 -
Verify that messages are successfully encrypted and that valid certificates are in use.
-
Review TLS version and cipher strength to ensure alignment with best practices.