In Secure Email Gateway, Opportunistic TLS is not enabled by default for a new installation. From the Settings tab, you can enable or disable Opportunistic TLS, and specify its TLS version and cipher strength.
|
Opportunistic TLS is a global setting. When enabled, it applies TLS to all your SMTP connections. Mandatory TLS is a unique setting for an individual connection profile. Mandatory TLS overrides Opportunistic TLS, regardless of its status (enabled globally or disabled). |
Use TLS communications
You can enable or disable Opportunistic TLS.
-
Navigate to System > Encryption > TLS Configuration. The TLS Configuration page is displayed.
-
Select the Settings tab.
-
In the Use TLS Communications panel, click Click here to change these settings.
-
Select the Enable Opportunistic TLS check box to enable the setting. Clear the check box to disable.
-
Click Save.
-
Apply the configuration.
TLS version
You can select a version of TLS your Secure Email Gateway should be using for communications.
-
Navigate to System > Encryption > TLS Configuration. The TLS Configuration page is displayed.
-
Select the Settings tab.
-
In the TLS Version panel, click Click here to change these settings.
-
Select the minimum version of TLS you want to use.
The default for a new installation is TLS 1.2. If you are upgrading from a previous version of the
-
TLS 1.0 (not recommended - deprecated)
-
TLS 1.1 (not recommended - deprecated)
-
TLS 1.2 (recommended - default)
-
TLS 1.3
Where possible, Secure Email Gateway attempts to use the selected version or higher.
For example, if your selection is TLS 1.2, but servers used for a communication both support TLS 1.3 (i.e. when both sides are compatible with TLS 1.3), the
-
-
Click Save.
-
Apply the configuration.
Minimum cipher strength
You can select a level of encryption for communications.
-
Navigate to System > Encryption > TLS Configuration. The TLS Configuration page is displayed.
-
Select the Settings tab.
-
In the Minimum cipher strength panel, click Click here to change these settings.
-
Select the cipher strength.
Cipher strength Description High Uses a list of high grade ciphers with key-length larger than 128 bits, and some cipher suites with 128-bit keys.
Some clients connecting through TLS might stop working when this cipher strength is used. If you experience problems with this option, use Medium.
Medium Uses a list of ciphers with 128-bit encryption.
This is the default setting.
Any Uses a cipher string that includes all ciphers but excludes those cipher suites that offer no authentication or are export-grade ciphers, which are typically weak.
If you have an older TLS client
The TLS client is the message sender., you may need to use this option instead of Medium.Custom (Experts only) Enables you to manually enter a custom cipher set. The cipher string is not validated.
We recommend that you only enter a custom cipher set if you are familiar with correctly-formed cipher strings, for example, AES128-SHA256.
Multiple cipher strings can be added - they should be comma-separated.
For more information and examples of cipher sets and cipher suite names used for each strength level, refer to the OpenSSL documentation: https://www.openssl.org/ -
Click Save.
-
Apply the configuration.
|
If you change any configuration or policy settings, you must Apply Configuration for the new settings to take effect. You can do this either from the Changes Made panel, or System > Configuration > Apply Configuration. See Apply new configuration for more information. If you use |