{"id":6355,"date":"2020-04-17T10:42:44","date_gmt":"2020-04-17T03:42:44","guid":{"rendered":"http:\/\/gcloudvn.wam.vn\/cai-thien-bao-mat-email-trong-gmail-voi-giao-thuc-tls-mac-dinh-va-cac-tinh-nang-moi-khac\/"},"modified":"2023-04-24T10:05:08","modified_gmt":"2023-04-24T03:05:08","slug":"cai-thien-bao-mat-email-trong-gmail-voi-giao-thuc-tls-mac-dinh-va-cac-tinh-nang-moi-khac","status":"publish","type":"post","link":"https:\/\/gcloudvn.com\/en\/kienthuc\/cai-thien-bao-mat-email-trong-gmail-voi-giao-thuc-tls-mac-dinh-va-cac-tinh-nang-moi-khac\/","title":{"rendered":"Improve email security in Gmail with default TLS protocol and other new features"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_83 counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewbox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewbox=\"0 0 24 24\" version=\"1.2\" baseprofile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/gcloudvn.com\/en\/kienthuc\/cai-thien-bao-mat-email-trong-gmail-voi-giao-thuc-tls-mac-dinh-va-cac-tinh-nang-moi-khac\/#Co_gi_thay_doi\" >What\u2019s changing<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/gcloudvn.com\/en\/kienthuc\/cai-thien-bao-mat-email-trong-gmail-voi-giao-thuc-tls-mac-dinh-va-cac-tinh-nang-moi-khac\/#Ai_bi_anh_huong\" >Who\u2019s impacted<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/gcloudvn.com\/en\/kienthuc\/cai-thien-bao-mat-email-trong-gmail-voi-giao-thuc-tls-mac-dinh-va-cac-tinh-nang-moi-khac\/#Tai_sao_lai_quan_trong\" >Why it\u2019s important<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/gcloudvn.com\/en\/kienthuc\/cai-thien-bao-mat-email-trong-gmail-voi-giao-thuc-tls-mac-dinh-va-cac-tinh-nang-moi-khac\/#Chi_tiet_them\" >More details<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/gcloudvn.com\/en\/kienthuc\/cai-thien-bao-mat-email-trong-gmail-voi-giao-thuc-tls-mac-dinh-va-cac-tinh-nang-moi-khac\/#TLS_duoc_bat_mac_dinh_tren_tat_ca_dinh_tuyen_mail_moi\" >TLS is enabled by default on all new mail routes<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/gcloudvn.com\/en\/kienthuc\/cai-thien-bao-mat-email-trong-gmail-voi-giao-thuc-tls-mac-dinh-va-cac-tinh-nang-moi-khac\/#To_chuc_chung_nhan_khong_tin_tuong_vao_Gmail\" >Certification bodies don&#039;t trust Gmail<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/gcloudvn.com\/en\/kienthuc\/cai-thien-bao-mat-email-trong-gmail-voi-giao-thuc-tls-mac-dinh-va-cac-tinh-nang-moi-khac\/#Kiem_tra_ket_noi_TLS_trong_Admin_console\" >Check TLS connection in Admin console<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/gcloudvn.com\/en\/kienthuc\/cai-thien-bao-mat-email-trong-gmail-voi-giao-thuc-tls-mac-dinh-va-cac-tinh-nang-moi-khac\/#Bat_dau\" >Getting started<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/gcloudvn.com\/en\/kienthuc\/cai-thien-bao-mat-email-trong-gmail-voi-giao-thuc-tls-mac-dinh-va-cac-tinh-nang-moi-khac\/#Quan_tri_vien\" >Admins<\/a><ul class='ez-toc-list-level-4' ><li class='ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/gcloudvn.com\/en\/kienthuc\/cai-thien-bao-mat-email-trong-gmail-voi-giao-thuc-tls-mac-dinh-va-cac-tinh-nang-moi-khac\/#Thiet_lap_TLS\" >Set up TLS<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-11\" href=\"https:\/\/gcloudvn.com\/en\/kienthuc\/cai-thien-bao-mat-email-trong-gmail-voi-giao-thuc-tls-mac-dinh-va-cac-tinh-nang-moi-khac\/#Kiem_tra_ket_noi_TLS\" >Check TLS Connection<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-12\" href=\"https:\/\/gcloudvn.com\/en\/kienthuc\/cai-thien-bao-mat-email-trong-gmail-voi-giao-thuc-tls-mac-dinh-va-cac-tinh-nang-moi-khac\/#Nguoi_dung_cuoi\" >End users<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-13\" href=\"https:\/\/gcloudvn.com\/en\/kienthuc\/cai-thien-bao-mat-email-trong-gmail-voi-giao-thuc-tls-mac-dinh-va-cac-tinh-nang-moi-khac\/#Toc_do_trien_khai\" >Deployment speed<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-14\" href=\"https:\/\/gcloudvn.com\/en\/kienthuc\/cai-thien-bao-mat-email-trong-gmail-voi-giao-thuc-tls-mac-dinh-va-cac-tinh-nang-moi-khac\/#Kha_dung\" >Available now<\/a><\/li><\/ul><\/nav><\/div>\n<h2 style=\"text-align: justify;\"><span class=\"ez-toc-section\" id=\"Co_gi_thay_doi\"><\/span><b>What\u2019s changing<\/b><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">Recently, Google Security blog protocol usage statistics <\/span><span style=\"font-weight: 400;\">Transport Layer Security (TLS)<\/span><span style=\"font-weight: 400;\"> grew to more than 96% of total traffic seen by the Chrome browser on Chrome OS. The blog post also highlights an important goal: enable TLS by default for Google products and services to ensure that TLS works properly.<\/span><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">Gmail already supports the TLS protocol, so it&#039;s more secure if a simple Mail Transfer Protocol (SMTP) mail connection can be secured via TLS. However, to encourage more organizations to increase their email security, and to further our goal of enabling TLS by default, Google has made the following changes:<\/span><\/p>\n<ul style=\"text-align: justify;\">\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">TLS connection for email<\/span><span style=\"font-weight: 400;\"> will be enabled by default<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Admins can now test their SMTP outbound mail routing configuration in the Admin console prior to deployment. They no longer need to wait for notification messages.<\/span><\/li>\n<\/ul>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">While administrators can always require TLS encryption for mail routes at any time, it was previously disabled by default. Note that existing mail routes will not be affected by these changes.<\/span><\/p>\n<h2 style=\"text-align: justify;\"><span class=\"ez-toc-section\" id=\"Ai_bi_anh_huong\"><\/span><b>Who\u2019s impacted<\/b><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">Admins<\/span><\/p>\n<h2 style=\"text-align: justify;\"><span class=\"ez-toc-section\" id=\"Tai_sao_lai_quan_trong\"><\/span><b>Why it\u2019s important<\/b><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">Google always recommends that administrators enable existing mail security features, including SPF, DKIM, and DMARC, to help protect end users. Google also recommends that administrators enable MTA Strict Transport Security (MTA-STS), which improves Gmail security by requiring encryption and authentication checks for email sent to their domain. Enabling TLS by default on new SMTP mail routes strengthens the client&#039;s security layer and allows administrators to test connections before enforcing TLS on existing routes making it easy for them to deploy new SMTP mail routes. security policy best practices.<\/span><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">This change will not affect previously created mail routes.<\/span><\/p>\n<h2 style=\"text-align: justify;\"><span class=\"ez-toc-section\" id=\"Chi_tiet_them\"><\/span><b>More details<\/b><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<h3 style=\"text-align: justify;\"><span class=\"ez-toc-section\" id=\"TLS_duoc_bat_mac_dinh_tren_tat_ca_dinh_tuyen_mail_moi\"><\/span><b>TLS is enabled by default on all new mail routes<\/b><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">With TLS enabled by default for new mail routes, all certificate validation requirements are also enabled by default. This ensures that the recipient server has a certificate issued to the correct server that has been signed by a trusted Certificate Authority (CA). See more details on how we changed the requirements for trusted CAs below.<\/span><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">Admins can still customize their TLS security settings on newly created mail routes. For example, if mail is forwarded to a third-party mail server or to a mail server that is hosting an internal CA certificate, the administrator may need to disable CA certificate validation. It is not recommended to disable CA certificate validation or even disable TLS altogether. We encourage admins to check their TLS SMTP configuration in the Admin Console to authenticate TLS connections to their mail servers before disabling any suggested validations. See more details on how to test TLS connections in the Admin console.<\/span><\/p>\n<h3 style=\"text-align: justify;\"><span class=\"ez-toc-section\" id=\"To_chuc_chung_nhan_khong_tin_tuong_vao_Gmail\"><\/span><b>Certification bodies don&#039;t trust Gmail<\/b><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">In the past, the Google Security Blog has highlighted cases where Chrome no longer trusts root CA certificates used to intercept traffic on the public internet, and Chrome doesn&#039;t trust specific CAs.<\/span><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">If these scenarios happen in the future, these certificates will also be distrusted by Gmail. When this happens, messages sent using TLS-encrypted routes that enforce certificates signed by the CA may bounce if the CA is no longer trusted. While the list of root certificates trusted by Gmail can be retrieved from the Google Trust Services repository, we encourage admins to use the Check TLS Connection feature in the admin console to confirm whether the certificate has been distrusted.<\/span><\/p>\n<h3 style=\"text-align: justify;\"><span class=\"ez-toc-section\" id=\"Kiem_tra_ket_noi_TLS_trong_Admin_console\"><\/span><b>Check TLS connection in Admin console<\/b><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">Admins can now use the new TLS Connection Test feature to verify if a mail route can successfully establish a TLS connection with full authentication to any destination such as a mail server on-premise or third-party mail forwarding, before enforcing TLS for it.<\/span><\/p>\n<h2 style=\"text-align: justify;\"><span class=\"ez-toc-section\" id=\"Bat_dau\"><\/span><b>Getting started<\/b><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<h3 style=\"text-align: justify;\"><span class=\"ez-toc-section\" id=\"Quan_tri_vien\"><\/span><strong>Admins<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<h4 style=\"text-align: justify;\"><span class=\"ez-toc-section\" id=\"Thiet_lap_TLS\"><\/span><b>Set up TLS<\/b><span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">TLS will be ON by default for all new mail routes. We recommend that administrators review all their existing routes and also enable all recommended TLS security options for these routes.<\/span><\/p>\n<h4 style=\"text-align: justify;\"><span class=\"ez-toc-section\" id=\"Kiem_tra_ket_noi_TLS\"><\/span><b>Check TLS Connection<\/b><span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">Admins who want to request a secure TLS connection for email can now verify that the connection to the recipient&#039;s mail server is valid simply by clicking the Test TLS Connection button in the Dashboard for administrators; they no longer need to wait for emails to bounce.<\/span><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">See more about <\/span><a href=\"https:\/\/support.google.com\/a\/answer\/2520500\" target=\"_blank\" rel=\"nofollow noopener\"><span style=\"font-weight: 400;\">Requires mail to be routed through a secure connection (TLS) <\/span><\/a><span style=\"font-weight: 400;\">and <\/span><a href=\"https:\/\/support.google.com\/a\/answer\/2614757\" target=\"_blank\" rel=\"nofollow noopener\"><span style=\"font-weight: 400;\">add routing<\/span><\/a><span style=\"font-weight: 400;\"> in the Help Center.<\/span><\/p>\n<figure id=\"attachment_15735\" aria-describedby=\"caption-attachment-15735\" style=\"width: 400px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-15735 size-full\" src=\"https:\/\/gcloudvn.com\/wp-content\/uploads\/2020\/04\/new1.png\" alt=\"All certificate validations are now enabled by default when creating new TLS-compliant settings.\" width=\"400\" height=\"331\" \/><figcaption id=\"caption-attachment-15735\" class=\"wp-caption-text\"><em>All certificate validations are now enabled by default when creating new TLS-compliant settings.<\/em><\/figcaption><\/figure>\n<p>&nbsp;<\/p>\n<figure id=\"attachment_15736\" aria-describedby=\"caption-attachment-15736\" style=\"width: 400px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-15736 size-full\" src=\"https:\/\/gcloudvn.com\/wp-content\/uploads\/2020\/04\/new2.png\" alt=\"TLS and all certificate validations are now enabled by default when creating a new mail route.\" width=\"400\" height=\"358\" \/><figcaption id=\"caption-attachment-15736\" class=\"wp-caption-text\"><em>TLS and all certificate validations are now enabled by default when creating a new mail route.<\/em><\/figcaption><\/figure>\n<h3 style=\"text-align: justify;\"><span class=\"ez-toc-section\" id=\"Nguoi_dung_cuoi\"><\/span><b>End users<\/b><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<ul>\n<li style=\"text-align: justify;\"><span style=\"font-weight: 400;\">There is no setup for the end user.<\/span><\/li>\n<\/ul>\n<h2 style=\"text-align: justify;\"><span class=\"ez-toc-section\" id=\"Toc_do_trien_khai\"><\/span><b>Deployment speed<\/b><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<ul style=\"text-align: justify;\">\n<li style=\"font-weight: 400;\"><a href=\"https:\/\/support.google.com\/a\/answer\/172177\" target=\"_blank\" rel=\"nofollow noopener\"><span style=\"font-weight: 400;\">Rapid and Scheduled Release<\/span><\/a><span style=\"font-weight: 400;\">: Extended rollout (potentially longer than 15 days for feature exposure) starting April 2, 2020<\/span><\/li>\n<\/ul>\n<h2 style=\"text-align: justify;\"><span class=\"ez-toc-section\" id=\"Kha_dung\"><\/span><b>Available now<\/b><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<ul style=\"text-align: justify;\">\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">All G Suite customers (<a href=\"https:\/\/gcloudvn.com\/en\/\">Google Workspace<\/a>)<\/span><\/li>\n<\/ul>\n<p style=\"text-align: right;\"><strong>Source: Gimasys<\/strong><\/p>","protected":false},"excerpt":{"rendered":"<p>C\u00f3 g\u00ec thay \u0111\u1ed5i G\u1ea7n \u0111\u00e2y, Google Security blog th\u1ed1ng k\u00ea vi\u1ec7c s\u1eed d\u1ee5ng giao th\u1ee9c Transport Layer Security (TLS) \u0111\u00e3 t\u0103ng l\u00ean h\u01a1n 96% t\u1ed5ng l\u01b0u l\u01b0\u1ee3ng truy c\u1eadp m\u00e0 tr\u00ecnh duy\u1ec7t Chrome nh\u00ecn th\u1ea5y tr\u00ean Chrome OS. B\u00e0i&hellip;<\/p>","protected":false},"author":1,"featured_media":12616,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-6355","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-kienthuc","entry","has-media"],"_links":{"self":[{"href":"https:\/\/gcloudvn.com\/en\/wp-json\/wp\/v2\/posts\/6355","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/gcloudvn.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/gcloudvn.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/gcloudvn.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/gcloudvn.com\/en\/wp-json\/wp\/v2\/comments?post=6355"}],"version-history":[{"count":0,"href":"https:\/\/gcloudvn.com\/en\/wp-json\/wp\/v2\/posts\/6355\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/gcloudvn.com\/en\/wp-json\/wp\/v2\/media\/12616"}],"wp:attachment":[{"href":"https:\/\/gcloudvn.com\/en\/wp-json\/wp\/v2\/media?parent=6355"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/gcloudvn.com\/en\/wp-json\/wp\/v2\/categories?post=6355"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/gcloudvn.com\/en\/wp-json\/wp\/v2\/tags?post=6355"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}