Welcome to the #dominoforever Product Ideas Lab! The place where you can submit product ideas and enhancement request. We encourage you to participate by voting on, commenting on, and creating new ideas. All new ideas will be evaluated jointly by the IBM & HCL Product Management & Engineering teams, and the next steps will be communicated. While not all submitted ideas will be executed upon, community feedback will play a key role in influencing which ideas are and when they will be implemented.

For more information and upcoming events around #dominoforever, please visit our Destination Domino page.


Enforce TLS

If your organization is required to use TLS for email sent to recipients in specific domains, you can configure outbound email to ensure that TLS (Transport Layer Security) is used for those domains. Enforced TLS forces a secure connection between both the sending and receiving domains. If a secure connection cannot be established, the mail is not sent.

 

like https://www.ibm.com/support/knowledgecenter/en/SSPS94/hybrid/topics/cfg_using_enforced_tls_t.html

  • Avatar32.5fb70cce7410889e661286fd7f1897de Guest
  • Jul 31 2018
  • Investigating
  • Attach files
  • Avatar40.8f183f721a2c86cd98fddbbe6dc46ec9
    Guest commented
    31 Jul 14:06

    I personally would rather have it downgrade gracefully if the other side somehow does not use TLS. Please bear in mind that as a company we simply cannot force the party that we correspond with to adhere to our standard.

  • Avatar40.8f183f721a2c86cd98fddbbe6dc46ec9
    Guest commented
    01 Aug 11:11

    This is, what can be done today. But there are requirements in the banking sector saying, "TLS, and nothing but TLS". If TLS is not possible, then e-mal will not be delivered. 
    The feature should allow to specify the sending domains , of course

  • Avatar40.8f183f721a2c86cd98fddbbe6dc46ec9
    Guest commented
    02 Aug 06:26

    I can confirm the request. I have also met to either email via TLS or nothing.

  • Avatar40.8f183f721a2c86cd98fddbbe6dc46ec9
    Guest commented
    02 Aug 08:35

    I think you mean that you wanted to specify the recipient domain ? How is the recipient classified on that banking requirement, all email sent between banking institution / all email sent to customer ?

    I hope it does not simply say all email correspondence going out of the company must be in TLS ?

  • Admin
    Thomas Hampel commented
    06 Aug 13:42

    By default a new server should be using the latest / strongest security settings.

  • Avatar40.8f183f721a2c86cd98fddbbe6dc46ec9
    Guest commented
    06 Aug 13:52

    Hello Thomas, what I believe is meant here - at least this understanding of the idea is the reason, why I support it: Yes, when TLS negotiation is enabled, the server should be using the strongest security available. But what if I what to make absolutely sure? I'd have to enforce TLS. When I do that, I would forbid any emailing to or from servers which may be to old or poorly maintained for example private servers of customers (eg bank to customer). I would possibly loose business.

    On the other hand, I might have some partners/customers etc., I could talk to in case TLS fails for some reason while sending or receiving mails.

    I would like to:

    Negotiate TLS for all senders and addressees, I do not know well and

    Enforce TLS for all senders and addressees, I can coordinate with to enhance security.

    Domino does not give this option. Why not make it possible to set such an option in the documents for "Foreign SMTP domain"?

  • Avatar40.8f183f721a2c86cd98fddbbe6dc46ec9
    Guest commented
    07 Aug 04:18

     I agree with "Guest commented August 6, 2018 13:52". On the one side there are requirements by law or regulatory (e.g. GDPR) to enforce TLS encryption to specific domains. On the other side several other domains are not using TLS in any way (in our environment 1/4 of external sent mail is without TLS/SSL).

    We need a way to force TLS for some domains and leave it as opportunistic for the rest of the world.

  • Avatar40.8f183f721a2c86cd98fddbbe6dc46ec9
    Guest commented
    07 Aug 15:34

    RouterFallbackNonTLS=1 Is the solution?

  • Avatar40.8f183f721a2c86cd98fddbbe6dc46ec9
    Guest commented
    26 Sep 09:15

    If I understand my customer regarding the requirements by law or regulatory (GDPR), it could be a 1st step to have an indicator that documented that a mail send with "TLS". A customer must prove that TLS (Transport Layer Security) is used for their domains.

  • Avatar40.8f183f721a2c86cd98fddbbe6dc46ec9
    Guest commented
    05 Dec 16:27

    Yes, please make it possible to enforce TLS for specific domains only. Additional option on the Foreign smtp document?