Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
BedrockMission!

Learn more

View all

Sign in to view all badges

CQ Mail Service STARTTLS.REQUIRED

Kosta_Prokopiu1
Employee
Employee

A customer tries to determine the security around using AEM (Forms) with e-mail via Office 365 SMTP server.

One question remained open:

 

AEM Forms uses Day CQ Mail Service which utilizes JavaMail API to handle sending emails. JavaMail provides two options for using STARTTLS: mail.smtp.starttls.enable and mail.smtp.starttls.required . In case if only first option is enabled, documentation informs that the connection continues without use of TLS, which may mean it can be not secure enough for the customers standards.

 

STARTTLS.ENABLED is available via AEM configuration, .REQUIRED is not.

See https://docs.adobe.com/content/help/en/experience-manager-65/communities/administer/email.html

 

They would require clarification from Adobe if SMTP use STARTTLS enforces using TLS at all times, or if there is fallback to non-secure connections in case of misconfiguration or other issues.

 

Can someone shed some light on this? Thanks

 

Kosta

2 Replies
vishakhav2
Level 2
Level 2

Hi @Kosta_Prokopiu1 ,

 

If mail.smtp.starttls.required is set to true it means TLS is supported and TLS connection can be used.

As mentioned here https://javaee.github.io/javamail/docs/api/com/sun/mail/smtp/package-summary.html

 

And for secure connection, both the sender and recipient must use TLS. Enabling SSL is one thing that you can do from your end!

Kosta_Prokopiu1
Employee
Employee

Hi @vishahav2, hello, yes you are right and we know that. The issue here is that according to the documentation mail.smtp.starttls.enable enables the use of TLS but falls back to less secure levels if not supported by both ends. mail.smtp.starttls.required enforces TLS and the connection will fail if not both ends support it. The customer uses AEMs' CQ Mail Service that uses this API but we can only set the .enabled option, not the .required via the API. The customer wants to ensure that only TLS connections go ahead. The documentation does not give any indication that the .required flag is set as well. In that case they could not use the CQ Mail Service. We just want to find out what he state of the implementation is and if a different approach to vanilla CQ Mail service is required.