Securing Email-to-Fax Communications

Administrator -

All the means to secure email communications for the email-to-fax functionality of your XM Fax service: securing emails with SMTP TLS, restraining the authorized sources.

Securing emails with SMTP TLS

The mail servers used for your XM Fax service support TLS for SMTP transmission encryption over the internet. You will find below the information required to configure your email server in order to enable TLS for the communications (in both directions) with our mail servers.

Supported SMTP TLS protocols and ciphers

XMedius follows the industry best practices regarding security and enables only protocols and ciphers that are not known to be vulnerable. As such, TLS 1.0, 1.1 and 1.2 are currently supported and ciphers are selected according to the latest industry standards.

Note that this protocol/cipher support definition is subject to change according to new recommendations.

Securing emails sent by users for faxing

For emails sent by users to our mail systems for faxing, our mail systems support opportunistic TLS via the STARTTLS command, which may be taken into account by your mail server.

You could therefore enable TLS support for outbound emails in your mail server and even force the use of TLS for emails sent to the service domain, which depends on the region of your enterprise account :

United States xmedius.com
Europe xmedius.eu
Canada xmedius.ca

Securing emails received by users for notification

For emails sent by the XM Fax service for fax notification/routing, our mail systems will switch to TLS if they are offered STARTTLS among your mail server capabilities.

To enable TLS in this direction, you would typically configure your mail server to offer TLS (opportunistic or forced) to SMTP connections coming from the XMedius mail systems.

Here are the XMedius mail system IP addresses (depending on the region of your enterprise account):

United States 66.45.112.68, 66.45.112.70, 130.250.131.129, 130.250.131.130, 130.250.131.131
Europe 195.68.54.86, 84.14.89.114
Canada 207.35.16.132, 216.208.46.36

Restraining authorized sources

As an additional security measure, you can configure your account to restrain the sources that will be authorized to send faxes by email for your enterprise. For this, you have two alternatives:
  • setting a mail server white list, or
  • enabling email spoofing protection.
Note: Typically, you will need to configure only one of these two options (as they have concurrent effects). Configuring both will in fact apply the most restrictive.

Setting a mail server white list

You can enumerate a "White List" of the email relay servers (IP addresses) that will be allowed to submit faxes through your account.

When receiving an email (for faxing) from a user associated with your account, the source IP address can be verified against those entered in the White List.

To configure the White List:

  1. Go to your Enterprise Settings under the Email-to-Fax Security section.
  2. In the Mail Server White List field, enter the IP addresses of the email servers (comma separated) that will be allowed to submit faxes through your XM Fax service. CIDR notation is supported.
    Important: By default, if the White List is left empty, all IP addresses will be accepted.
  3. Do not forget to Update the settings.

Enabling email spoofing protection

You can protect your account against the risks of email spoofing, and as such, avoid unauthorized sources to send faxes by email for your enterprise.

More precisely, you have the option to ensure that the sender domain name of emails addressed to your XM Fax service will be systematically verified using the SPF record of your domain, and consequently accept or reject these emails.

To enable this behavior:

  1. Go to your Enterprise Settings under the Email-to-Fax Security section.
  2. Check the option Spoofing Protection.
    Important: Unlike an email client, your XM Fax service is not designed to manage the spam level of the emails intended to be processed as faxes.

    Therefore, if you enable the Spoofing Protection option, you must also take a decision for SPF SoftFail Management: either reject or accept emails if SPF record validation results in SoftFail.

  3. Do not forget to Update the settings.
Have more questions? Submit a request

Comments

Powered by Zendesk