SMTP STARTTLS Results
Quick Answer
Yahoo's security team published a study on SMTP STARTTLS deployment quality and found that STARTTLS is widely used but adoption growth has slowed. DuoCircle supports STARTTLS on every inbound and outbound server, on all load balancers and individual nodes. Connections use TLS 1.2 with the ECDHE-RSA-AES128-SHA256 cipher (verifiable via CheckTLS.com). One Yahoo recommendation, signing certificates with a public CA rather than self-signing, is the area DuoCircle is evaluating; self-signed certificates do not weaken the TLS handshake or in-flight security, but a public-CA cert improves verifiability for third-party validators.
The security engineers at Yahoo have just released a study measuring the SMTP STARTTLS Deployment Quality of the modern mail ecosystem. They have concluded that the use of STARTTLS is common and widespread but that growth has faltered in recent years.
At DuoCircle we support STARTTLS on ALL of our inbound and outgoing servers. On all load balancers and on each individual server.
One of the recommendations that the Yahoo research suggests is to have all ssl certificates signed by a valid certificate authority. This is the only part of the process that we are deficient.
We currently self sign our certificates however this does not impact the TLS security nor the handshake. We do this because of the size of the clusters and maintaining consistency on all of our node. However we will evaluate the use of a specific standard wildcard ssl certificate on each of the clustered machines to address this issue.
Using CheckTLS.com you can validate that we use
SSLVersion in use: TLSv1.2
Cipher in use: ECDHE-RSA-AES128-SHA256
If you care about security and want an email gateway provider that does also, check out our services.
General Manager
General Manager at DuoCircle. Product strategy and commercial lead across the email security portfolio.
Secure your email infrastructure
Protect, authenticate, and deliver. Contact our team to find the right solution.