Connections

Connections manage the way an SMTP conversation is established and authenticated. A list of configured connections, known as "connection profiles", is displayed in the Manage Connections page.

Configure a connection profile

1. Navigate to System > SMTP Settings > Connections. The Manage Connections page is displayed.

2. Email is only allowed out of your organization from servers defined in the connection profile. The [Connection] panel displays the list of your internal corporate email servers.

   Usually, the internal email servers are configured during the installation process.

   To edit the existing internal email server:

   • Select the internal email server and click Edit.

   To create a new internal email server:

   • In the Connections panel, click New. Alternatively, click New Connection in the task panel.

   • In the Overview panel, click Click here to change these settings.

   • Enter the Name of the connection profile, and add Notes optionally.

3. Configure the required tabs and save your changes. For more information on how to configure each tab, see the following sections in this topic.

4. Apply the configuration.

If you change any configuration or policy settings, you must Apply Configuration for the new settings to take effect. You can do this either from the Changes Made panel, or System > Configuration > Apply Configuration. See Apply new configuration for more information. If you use Peer Gateways (i.e. when multiple Gateways are peered), any configuration changes from a local Gateway can then be applied to all the peers at the same time. See Peer Gateways for more information.

Client Hosts

Define the host machine(s) to which the connection profile applies. You can add internal email servers or external hosts.

1. Select the Client Hosts tab.

2. In the Hosts panel, click New. Alternatively, click New Client Host in the task panel. The New Client Host dialog is displayed.

3. In the Host field, enter the IP address of the server (or range of servers) or the host fully qualified domain name (FQDN) to which this connection profile applies. Entries are validated on input and IPv6 addresses are supported.

   You can specify the host name or an IPv4 or IPv6 address in Classless Inter-Domain Routing (CIDR) format. An IPv4 or IPv6 address that has already been entered cannot be duplicated. Note that wildcard entries are no longer supported from version 5.2.0 onwards but will be converted to CIDR format upon upgrade. For example, a wildcard entry of 10.100.80.* is converted to 10.100.80.0/24 on upgrade.

4. Click Add.

Sender Domains

Define the domains to which the connection profile applies. If the the connection profile does not match on host name or IP, it attempts to match on sender email domain name. These restrictions only apply to inbound Mandatory TLS.

If you wish to select the the connection profile by Sender Domains, you must enable Opportunistic TLS.

1. Select the Sender Domains tab.

2. In the Domains panel, click New. Alternatively, click New Sender Domain in the task panel. The New Sender Domain dialog is displayed.

3. In the Domain field, enter the sender domain name to which this connection profile applies.

4. Click Add.

For an inbound connection, Secure Email Gateway first tries to match the IP address, then the host name, and finally the sender domain name. The host name/IP is also used for relay and authentication. However, the sender domain is only used for inbound TLS, and does not enforce relay or authentication.

Relay

Manage the way the connection profile relays mail.

1. Select the Relay tab.

2. In the Inbound Relay Control panel, click Click here to change these settings.

3. Select the type of relay control you require for your configured hosts.

   Inbound Relay Control	Description
   None	Inbound messages will be accepted for managed domains. No relay control is configured to other domains for this connection profile.
   Full	This connection profile represents internal corporate mail servers. Connection hosts can send mail to any domain. By default, messages are not checked for spam.*
   Restricted External	This connection profile represents external hosts that may send mail to any configured hosted domain. Messages are checked for spam.
   Restricted Internal	This connection profile represents internal hosts that may send mail to any configured hosted domain. By default, messages are not checked for spam.*
   Blocked	No messages are accepted from this connection profile. Note: Mail that is sent and received inside your Hosted Domain is not blocked, unless Spoof Detection is enabled. See Configure Spoof Detection for more information.

   * Messages will be checked for spam if Perform spam checks on outbound messages (Policy > SpamLogic Settings > Spam Policy tab) is enabled.

4. Click Save.

TLS Settings - Outbound

Allow the connection profile to establish an outbound TLS communication.

1. Select the TLS Settings tab.

2. In the Outbound (When Acting as a Client) panel, click Click here to change these settings.

3. Edit the settings as required. These are used when Secure Email Gateway sends outbound mail through TLS.

   Section	Setting	Description
   Use Mandatory TLS for this connection profile		If this check box is selected, the Gateway must establish a TLS connection that meets the requirements set. If TLS is not advertised, the connection is not established and no email is delivered. If TLS is advertised, but does not meet one of the requirements of the configured connection, no email is delivered.
   Supported protocols	Use global settings TLS 1.0, TLS 1.1, TLS 1.2, TLS 1.3	Select the version of TLS required for this connection profile. Alternatively, use the global setting configured under System > Encryption > TLS configuration.
   Minimum cipher strength	Use global settings High, Medium, Any	Select the encryption strength required for this connection profile. Alternatively, use the global setting configured under System > Encryption > TLS configuration.
   Server certificate A digital means of proving your identity. When you send a digitally-signed message, you are sending your certificate and public key. Certificates are issued by a certification authority and can expire or be revoked. validation	Validate the receiving server certificate SAN/CN	If this check box is selected, you may encounter difficulties using a fixed IP address for routing. You need to either retrieve the host name of the server or use the DNS in order to avoid issues using this setting.
   	Validation requires SAN/CN to match	Select the SAN/CN matching criteria. Subject Alternate Names (SANs) are checked first. You can also add a recipient domain in this field.

4. Click Save.

TLS Settings - Inbound

Allow the connection profile to establish an inbound TLS communication.

• Select the TLS Settings tab.

• In the Inbound (When Acting as a Server) panel, click Click here to change these settings.

• Edit the settings as required. These are used when Secure Email Gateway receives inbound mail through TLS.

  Section	Setting	Description
  Use Mandatory TLS for this connection profile		If this check box is selected, the Gateway must establish a TLS connection that meets the requirements set. If TLS is not advertised, the connection is not established and no email is received. If TLS is advertised, but does not meet one of the requirements of the configured connection, no email is received.
  Encryption strength	Encryption should meet or exceed	Enter the minimum number of bits to use for encryption, between 40 and 256. This is in addition to the global cipher strength setting. Any incoming connection must meet both the global cipher strength and the number of bits criteria.
  Client certificate validation	Require valid client certificate	Select the check box if you want the certificates of connecting clients and servers to validate successfully for the communication to continue. A successful validation requires a valid CA signing certificate The certificate of the certificate authority that signed the key certificate. It contains the certificate authority's own public key. Also known as "root certificate". to be present in the certificate store. If you enable this but do not want Common Name (CN) checking to be enabled, the Gateway does basic certificate checks, such as chain-of-trust and expiration.
  	CN of the certificate must match	The Common Name (CN) of the certificate must match what you enter in this field. If you select this check box but do not specify a CN, the host name of the client is used. You can use a wildcard (*) to match the CN to the host name but if the host name cannot be determined, a match is not attempted.
  	CN of the certificate issuer must match	The Common Name (CN) of the certificate issuer must match what you enter in this field.

  Wildcard matching The client certificate validation can be made to match the client host name or a specified value. If the host name from a reverse-lookup is host.domain.com, a match occurs if the CN is formatted as *.domain.com or *.host.domain.com. It does not match for simply domain.com. If validation of the CN should match a specified value, for example *.domain.com, a match occurs on values formatted as domain.com, *.domain.com, and sub.domain.com. It does not match abcdomain.com.

• Click Save.

Mandatory TLS overrides Opportunistic TLS, regardless of its status (enabled globally or disabled). If Mandatory TLS is configured on this profile, this takes precedence over the global setting (Opportunistic TLS). If Mandatory TLS is not configured on this profile, the global setting (Opportunistic TLS) is used.

SMTP AUTH

Apply an SMTP authentication to specify the authentication mechanism that is required for inbound SMTP traffic using the connection profile.

1. Select the SMTP AUTH tab.

2. In the Inbound SMTP Authentication panel, click Click here to change these settings.

3. Select the Enable SMTP Authentication on inbound connections check box to enable the authentication.

4. Enter the credentials required to complete the connection.

   When setting up the user name and password on a connection profile, be aware that the user names apply across all connection profiles and can, therefore, only be used once.

5. Click Save.

You can apply SMTP authentication credentials to outgoing mail, provided you know the appropriate user name and password. See Email Routing for more information.

Recover SMTP authentication credentials

The Gateway securely stores your settings for each connection. If you need to recover the credentials that you specified for inbound traffic, you can email them in plain-text (user name and password) to the administrator account.

1. In the Connections panel, select a connection and click Edit.
2. Click Send Credentials in the task panel and click Yes to confirm.

See also...

• Email Routing
• Hosted Domains
• Configure email security using TLS
• TLS and cipher settings
• Spam Policy