Overview
This article provides clarification on forced TLS encryption for outbound emails. Also, it provides a list of different DLP (Data Loss Prevention) software that can be used to protect the Kerio Connect installation.
Diagnosis
Kerio Connect uses 2 different ports for SMTP communication.
SMTP on port 25 with STARTTLS if TLS encryption is supported. The traffic on port 25 starts as unencrypted and if both sides support TLS, the TLS encryption starts via STARTTLS.
SMTP on port 465 with SSL/TLS. The traffic is encrypted from the start.
Kerio Connect uses opportunistic TLS, meaning that if TLS is enabled in your server and supported by the remote SMTP server then the connection will be negotiated using STARTTLS and use encryption. But if the remote SMTP server does not support it then the connection will continue without encryption.
SSL/TLS option can be disabled through Kerio Connect Webadmin -> Configuration -> SMTP server -> SMTP delivery tab.
Forced TLS is a configurable TLS policy setting which authenticates the destination email domain as a trusted source in addition to following the TLS process. Unfortunately, this technique is not supported by Kerio Connect.
Solution
Kerio Connect provides a built-in data encryption mechanism to protect the user's data. This option is available only for Linux and Virtual Appliance installations. It can be configured from Configuration -> Advanced Options -> Store Directory settings. For more information, please refer to Securing Kerio Connect.
For other platforms, 3rd-party Data Loss Prevention solutions can be configured. Common software options are MyDLP, McAfee, Symantec, DigitalGuardian, etc.