Opportunistic and mandatory TLS

The Email Gateway supports TLS in two forms: opportunistic and mandatory. You can globally enable opportunistic TLS, but you must configure mandatory TLS on connection profiles.

Tell me about...

• Opportunistic TLS

With Opportunistic TLS enabled, the Email Gateway automatically offers TLS when communicating with other SMTP servers, and it accepts TLS connections when requested.

If the other server completes the negotiation process, email is delivered or received using an encrypted connection.

On outbound, if the other server offers TLS but the TLS handshake fails, the Email Gateway defers the request and attempts to deliver the message again after five minutes. If the TLS handshake fails on a second attempt, the Email Gateway establishes an unencrypted connection.

If the other SMTP server does not support TLS then the Email Gateway will establish an unencrypted connection.

• Mandatory TLS

If Mandatory TLS has been configured for a connection profile, the Email Gateway attempts to establish a TLS connection that meets the requirements specified in the connection.

If the other SMTP server does not offer TLS, the connection is not established and no email is delivered.

If the remote machine advertises TLS, but does not meet one of the requirements of the configured connections, no email is delivered.

For greater flexibility, you can vary the level of certificate validation you want to specify in the TLS connection profile.

• What's the key difference between the two forms of TLS?

The key difference between the two forms is that, when using mandatory TLS, the Email Gateway will not establish an unencrypted connection if either of the following happens:

• The other SMTP server does not support TLS.
• The TLS handshake fails.

When using opportunistic TLS, the Email Gateway attempts to establish an encrypted connection but falls back to an unencrypted connection if the other SMTP server does not support TLS for outbound TLS.