CQ Mail Service STARTTLS.REQUIRED

kprokopi

09-07-2020

A customer tries to determine the security around using AEM (Forms) with e-mail via Office 365 SMTP server.

One question remained open:

 

AEM Forms uses Day CQ Mail Service which utilizes JavaMail API to handle sending emails. JavaMail provides two options for using STARTTLS: mail.smtp.starttls.enable and mail.smtp.starttls.required . In case if only first option is enabled, documentation informs that the connection continues without use of TLS, which may mean it can be not secure enough for the customers standards.

 

STARTTLS.ENABLED is available via AEM configuration, .REQUIRED is not.

See https://docs.adobe.com/content/help/en/experience-manager-65/communities/administer/email.html

 

They would require clarification from Adobe if SMTP use STARTTLS enforces using TLS at all times, or if there is fallback to non-secure connections in case of misconfiguration or other issues.

 

Can someone shed some light on this? Thanks

 

Kosta

Accepted Solutions (0)

Answers (1)

Answers (1)

vishakhav2

09-07-2020

Hi @kprokopi ,

 

If mail.smtp.starttls.required is set to true it means TLS is supported and TLS connection can be used.

As mentioned here https://javaee.github.io/javamail/docs/api/com/sun/mail/smtp/package-summary.html

 

And for secure connection, both the sender and recipient must use TLS. Enabling SSL is one thing that you can do from your end!