|
|
|
|
Message Security Administration Guide > Configuring Inbound Servers > Setting Up Inbound TLS
|
|
Setting Up Inbound TLS
Setting up inbound TLS involves these steps
Each step is described in detail below.
On the same page as inbound TLS, you can also configure inbound Policy Enforced TLS. For more information about Police Enforced TLS, see About Policy Enforced TLS.
Follow these steps to set up inbound TLS on each mail server you want to configure.
Prepare Your Mail Server for TLS
Enabling TLS delivery requires enabling TLS on your mail server. Following are the steps required:
You only need to turn on TLS for Outbound if your outgoing mail is delivered through the Outbound service.
WARNING: You must turn on TLS for Outbound service in the Administration Console before enabling TLS on your mail server.
Some mail servers, specifically Microsoft Exchange 2000/2003, defer your outgoing mail if TLS is enabled first. If you find that messages are queued, be sure that TLS is disabled on your mail server, then turn on TLS in the Administration Console, and enable TLS on your mail server.
Similarly, to turn off TLS for outbound service, you must disable TLS on Exchange before making changes to the Outbound TLS settings in the Administration Console.
To obtain or create a certificate, contact an appropriate security vendor as the email protection service does not provide tools for obtaining or creating a certificate. More information on this may be available through support.
Important: TLS support requires that you install your certificate and configure TLS on your mail server. This procedure may require some research and technical configuration upon your part. Please consult your mail server documentation for information on enabling TLS.
Further information for configuring the most common mail servers may be available through support. For further information, consult documentation and support for your mail server.
Test Your Mail Server’s TLS Configuration
You can check if your mail server will accept TLS connections by using telnet from your mail server to the server software itself (you type the commands in bold text):
If you have other ESMTP options enabled, you will see more lines that start with 250-OPTIONNAME, and not only 250-STARTTLS. Once you receive a 200-series response to your starttls command, this confirms that your mail server will accept TLS connections.
For details verifying whether a message was transmitted via TLS, see Received Header Field.
You can also view a report of TLS activity with your service. See TLS Reports for more information.
Configure TLS for Inbound Servers
Following is the procedure to enable TLS connections for inbound email. TLS connections are configured on each email config.
By default, TLS inbound support is turned off.
Following are descriptions of each delivery option:
No TLS connections from the email protection service to your server. In other words, this is the “off” setting. If a message is sent via TLS, it is received by the email protection service in encrypted form, but delivered to your server unencrypted via SMTP.
If a message is sent via TLS, the email protection service delivers the message via TLS to your server if possible, but otherwise delivers by SMTP. If the message is sent via SMTP, the email protection service delivers the message via SMTP to your server, so the message is delivered to match the sender’s preference if possible. This is the recommended setting. It ensures end-to-end TLS connections, and the impact to your server performance is relatively low.
All messages are delivered from the email protection service to your mail server using TLS if possible. Recipient servers that do not support TLS receive their mail via SMTP. Messages, whether sent via SMTP or TLS are encrypted and sent via TLS from the email protection service.
This setting is not recommended because of the possibility of high load on your server. Because the TLS protocol uses encryption, your mail server must communicate to set up the encryption and decrypt every packet received from each SMTP connection. This impacts server performance.
Send all messages by TLS. Mail sent to recipient servers that do not support TLS will be deferred. This impacts server performance.
|
|
