In Apple Mail, how do you implement TLS security?

Question

Level 1

92 points

In Apple Mail, how do you implement TLS security?

OSX Mavericks (from which I'll be migrating shortly to Sierra) doesn't support TLS (Transport Level Security). In Mavericks, it appears that the only security settings remotely of this type made available for POP/IMAP accounts are SSL. Unfortunately, SSL for e-mail is, for the mostpart, redundant these days. I'm given to understand, though, that Sierra does now provide TLS in its place.

Certainly, as matters stand at present, my e-mail traverses the Internet non-secured (in plaintext). But when I move to Sierra, I gather that Mail, and hence the e-mail account, can be secured by means of some proper TLS settings. Is this the case and, if so, how should the settings be used and, generally, what needs to be done to fully implement TLS in an account configured into Mail?

My e-mail provider, along with most others, now highly recommends that I use TLS. However, I'm comparatively ignorant of the workings of TLS, so can someone enlighten me as to how TLS works? Are there different levels of TLS that can be used; maybe just certification from the source of the message, or instead some form of full encryption/decryption?

Some time ago, I thought that TLS allowed an account's password and body text to be encrypted, preventing any sort of effective eavesdropping en route, but I'm beginning to wonder if that's correct. If encryption's involved, then wouldn't every single e-mail recipient have to also implement TLS? Or does encryption/decryption only take place in in-transit servers?

iMac (27-inch, Late 2013), OS X Mavericks (10.9.2)

Posted on Feb 23, 2017 6:58 AM

Reply

Answer 1

SiHancox

Level 5

4,953 points

Feb 23, 2017 8:56 AM in response to carefulowner

carefulowner wrote:

Matt,

Does it matter that I use only POP e-mail (not IMAP)? All my devices are desktops;

Just to confirm mberardinelli's reply, I employ POP for Mail and remembered seeing the TLS option the last time it was set up, went back and checked, below are a couple of screen shots - it's certainly available under macOS Mail but as said previously does require support by your mail provider (mine apparently doesn't so still using SSL).

Best of luck.

Reply

Answer 2

Feb 23, 2017 7:30 AM in response to carefulowner

Hi there,

Mail in Sierra does in fact support TLS. As long as your email provider uses TLS for their SMTP servers, you will be able to enable it within the Mail app. This can be done by opening Mail > Preferences > choose your email account > Advanced IMAP settings button (in there, you can choose a TLS certificate to use). Information about how to set this up depends on your email provider, so they should have instructions available for you on exactly what to put in there.

The thing to be aware of is that TLS only works if it is being used on the email provider's SMTP server(s). Most do these days, since TLS is essentially a successor to SSL.

In short, the way TLS works is it will establish a connection between the client and the SMTP server by way of a certificate, which authenticates you to the SMTP server. From there, the transmission of your email to and from the SMTP server will be encrypted. This does not, however, affect the security/encryption of the email before it is sent nor after it is received. And whether or not the email will be encrypted from your provider's SMTP server to the recipient's inbound server depends on whether or not the recipient's server is set to use TLS for inbound mail.

There is a really nice article on how TLS works here, and the links at the bottom have a lot of useful info too: https://luxsci.com/blog/smtp-tls-all-about-secure-email-delivery-over-tls.html

I hope this helps!

Cheers,

Matt

Reply

Answer 3

carefulowner Author

Level 1

92 points

Feb 23, 2017 7:45 AM in response to mberardinelli

Matt,

Many thanks for the link. I'll chase that up shortly.

In your reply you gave the path to a setting in Mail where you can choose a TLS certificate, the path ending in the IMAP settings. Does it matter that I use only POP e-mail (not IMAP)? All my devices are desktops; I don't possess any mobile devices of any description, neither am I likely to use webmail, as I'm permanently housebound due to a health problem. Thus, I never need to use webmail/IMAP.

My e-mail provider most definitely provides for TLS, indeed in both directions, smtp and pop. But I'm not sure how that works in the pop (inward) direction. I'll have to press my provider for more info on it.

If I understand correctly then, TLS facilitates encryption of the outgoing e-mail between only yourself and your provider's server. At every stage further beyond the server, the e-mail would be in plaintext. So, essentially TLS helps secure the connection between yourself and the e-mail server, nothing more. And it can do this in the opposite direction too, again for just the last leg of the transit, between the server and yourself.

Reply

Answer 4

Feb 23, 2017 8:39 AM in response to carefulowner

Well, TLS will encrypt the email for its entire transit, provided that both your email provider AND the recipient's email provider support it. So we know for a fact that the email being sent by you will be encrypted on its way to your email provider's SMTP server. Whether or not it is encrypted from your SMTP to your recipient depends on the recipient's email provider. These days though, it is pretty common.

Vice versa, when you are receiving an email - it will be encrypted from your SMTP server to your inbox via TLS. But again, whether it was encrypted from the original sender to your SMTP server is dependent on their email provider.

And yes, you should be able to enable TLS in Mail regardless of whether you're using IMAP or POP/SMTP. I just gave IMAP as an example because that happened to be what I was looking at on my own computer 🙂

You can actually check to see which transit legs of an email were (or were not) encrypted by examining the headers on an email. In Mail, choose a message you want to examine, and then go View > Message > All Headers. This will display a bunch of technical info on the top of your email. In there, you can see each server that touched the message in the lines beginning with "Received" (they are in reverse chronological order - so the first server to touch it will be at the bottom of the list). Here you can see whether or not each step used TLS. There is another good article with visual examples of this here: https://luxsci.com/blog/how-you-can-tell-if-an-email-was-sent-using-tls-encrypti on.html

Cheers,

Matt

Reply

Answer 5

carefulowner Author

Level 1

92 points

Feb 24, 2017 3:52 AM in response to SiHancox

SiHancox and mberardinelli,

Thank you very much indeed for your advice in this. Based on what you've 'said', I've made some notes, and I've e-mailed my ISP for confirmation of the use of TLS and whether any particular category of TLS needs to be used.

Reply