Configure email security using TLS

As a means of ensuring email security, Secure Email Gateway supports Transport Layer Security (TLS) A cryptographic protocol that provides communication security over the Internet. The successor to Secure Sockets Layer. protocol.

When a TLS communication starts, a client and a server work together to negotiate an encryption algorithm as well as cryptographic keys, and authenticate each other using Public Key Infrastructure (PKI). By completing these steps (i.e. TLS handshake) before exchanging actual data, TLS verifies that the servers sending, or receiving emails, are indeed what their ID indicates that they are, and ensures that the connection between mail servers is encrypted.

Opportunistic TLS and Mandatory TLS

In Secure Email Gateway, there are two forms of TLS: opportunistic and mandatory.

Opportunistic TLS

Opportunistic TLS is a global setting and applies TLS to all your SMTP connections. By default, it is disabled for a new installation. You can configure Opportunistic TLS from: System > Encryption > TLS Configuration.

When Opportunistic TLS is enabled:

• The Gateway automatically offers TLS when communicating with other SMTP servers, and it accepts TLS connections when requested.

• If the other SMTP server completes the TLS handshake process, email is delivered or received using an encrypted connection.

• On outbound, if the other SMTP server supports TLS but the TLS handshake fails, the Gateway defers the request and attempts to deliver the message again after five minutes. If the TLS handshake fails on a second attempt, the Gateway establishes an unencrypted connection.

• If the other SMTP server does not support TLS, then the Gateway establishes an unencrypted connection.

Mandatory TLS

Mandatory TLS is a unique setting for an individual connection profile. You can configure Mandatory TLS from: System > SMTP Settings > Connections.

When Mandatory TLS is enabled:

• The Gateway attempts to establish a TLS connection that meets the requirements defined in the connection profile.

• If the other SMTP server does not support TLS, the connection is not established and no email is delivered.

• If the remote machine advertises TLS, but does not meet one of the requirements of the configured connections, no email is delivered.

• For greater flexibility, you can vary the level of certificate A digital means of proving your identity. When you send a digitally-signed message, you are sending your certificate and public key. Certificates are issued by a certification authority and can expire or be revoked. validation you specify in the connection profile.

Difference between Opportunistic and Mandatory TLS The main difference between the two is whether an unencrypted connection is established or not. Opportunistic TLS attempts to establish an encrypted connection, but falls back to an unencrypted connection if the other SMTP server does not support TLS, or the TLS handshake fails. Under the same circumstances, Mandatory TLS does not establish an unencrypted connection.

Where to configure Opportunistic and/or Mandatory TLS from

In the Secure Email Gateway user interface, the settings for Opportunistic and Mandatory TLS are located under a couple of different areas. The following is a basic guide:

Mandatory TLS overrides Opportunistic TLS, regardless of its status (enabled globally or disabled).

Global setting for all connections

What to configure	Location in the UI	How to configure
Opportunistic TLS for all connections	System > Encryption > TLS Configuration	Under the Settings tab, enable Opportunistic TLS and configure related parameters.

 

Unique setting for a connection profile

What to configure	Location in the UI	How to configure
Mandatory TLS Inbound	System > SMTP Settings > Connections	Under the TLS Settings tab, enable Mandatory TLS for the inbound connection profile.

Mandatory TLS Outbound	System > SMTP Settings > Connections	Under the TLS Settings tab, enable Mandatory TLS for the outbound connection profile and configure related parameters.
	System > SMTP Settings > Mail Domains and Routing	Under the Email Routing tab, associate the outbound connection profile with an email route to apply its TLS configuration to the selected route.

If you change any configuration or policy settings, you must Apply Configuration for the new settings to take effect. You can do this either from the Changes Made panel, or System > Configuration > Apply Configuration. See Apply new configuration for more information. If you use Peer Gateways (i.e. when multiple Gateways are peered), any configuration changes from a local Gateway can then be applied to all the peers at the same time. See Configure Peer Gateways for more information.

Tell me about...

• Sample workflow: inbound TLS configuration

  This is an example for setting up inbound TLS from an external domain. It is recommended that when configuring inbound TLS, you start with the weakest option and progress to a stronger one iteratively to ensure that your configuration works as expected.

  Starting with Opportunistic TLS

  1. From System > Encryption > TLS Configuration, enable Opportunistic TLS and configure related parameters (i.e. TLS version and cipher strength). If you have previously configured this, no further changes are required.

  2. Set up the appropriate signing and client certificates.

  3. Have a message sent to you. From Messages > Track Messages, check if the message was received correctly and TLS was used.

  4. You may need to speak to the administrator of the external domain to notify them of the certificates you have in use, if the opportunistic TLS connection fails.

  Transitioning to Mandatory TLS

  These instructions follow on from the steps above.

  1. From System > SMTP Settings > Connections, create a new connection profile.

  2. Set up either a list of client hosts or sender domain names. Setting up client hosts is particularly easy for internal communication, where the list of IP addresses is known. For external communication, you may find configuration easier using sender domains.

  3. When the connection profile has the client hosts or sender domains configured, enable Mandatory TLS for the connection profile and configure related parameters (i.e. encryption strength and client certificate validation).

  4. Experiment with these parameters, using the weakest option first. Adjust them until you are satisfied with the strength of your TLS configuration.

  Adjusting the client certificate validation using Common Name (CN) matching may require negotiation with the administrator of the external domain.

• Sample workflow: outbound TLS configuration

  This is an example for setting up outbound TLS to an external domain. It is recommended that when configuring outbound TLS, you start with the weakest option and progress to a stronger one iteratively to ensure that your configuration works as expected.

  Starting with Opportunistic TLS

  1. From System > Encryption > TLS Configuration, enable Opportunistic TLS and configure related parameters (i.e. TLS version and cipher strength). If you have previously configured this, no further changes are required.

  2. Set up the appropriate signing and client certificates.

  3. Send a message. From Messages > Track Messages, check if the message was delivered correctly and TLS was used.

  4. If the message has gone through, you may want to switch to Mandatory TLS to strengthen your TLS configuration.

  Transitioning to Mandatory TLS

  These instructions follow on from the steps above.

  1. From System > SMTP Settings > Connections, create a new connection profile.

  2. Enable Mandatory TLS for the connection profile and configure related parameters (i.e. TLS version, cipher strength and server certificate validation).

  3. Experiment with these parameters, using the weakest option first. Adjust them until you are satisfied with the strength of your TLS configuration.

  4. From System > SMTP Settings > Mail Domains and Routing, set up the email route, using the connection profile you have created for TLS configuration.

See also...

• TLS and cipher settings

• Required TLS certificates and keys

• Manage Connections

• SMTP Authentication

• Email Routing