So, a while back I wrote an article about Office 365‘s security and talked about the connection between Outlook and Office 365 and also between the browser and Outlook Web Access (at http://portal.microsoftonline.com). Both are secure. Outlook uses Outlook Anywhere (an RPC session encapsulated within an SSL HTTPS connection) and Outlook Web Access uses a secure SSL HTTPS session.
The question I didn’t answer, however, was what happens to your e-mail when it leaves Office 365. Does it remain encrypted? I’m back now with some answers.
Let’s start with a diagram:
The scenarios where you have mail transfer with Office 365 are:
- Mailbox traffic & Outlook Web Access – covered in Is My Office 365 E-mail Secure? – Part 1: Outlook
- SMTP relay from on premises applications and devices that don’t directly support TLS (more on this in a minute)
- SMTP relay using TLS
- Mail delivery to servers that do not support TLS
- Mail delivery to servers using TLS
TLS is can be enabled on Microsoft Exchange systems and is enabled by default on Office 365. TLS has two settings: opportunistic and forced. Opportunistic checks to see whether the partner in each e-mail conversation also supports TLS and if they do the conversation is encrypted. If TLS is not supported, the conversation fails back to standard unencrypted communications. Opportunistic TLS functions “out of the box” for Office 365 and requires no configuration.
For more on how to set up an on-premises SMTP relay server see http://support.microsoft.com/kb/2600912.
So, we’ve discovered that:
- E-mail between Office 365 and other mail systems is secure by default (using TLS when supported by the partner mail system) and can be forced to be secure when necessary.
- SMTP relay communications can be configured to be secure and use Office 365 when combined with TLS as well.
- Communications between Outlook / web browsers and Office 365 are encrypted with SSL.