Google Postini Services logo
Print Previous Next


Certificate Validation

Policy Enforced TLS can analyze and validate TLS certificates, and block sessions that use malformed or spoofed certificates. When outbound mail is sent to a domain that is configured for Certificate Validation, Policy Enforced TLS verifies the format, source, and domain of the certificate.You can specify different validation settings for each domain.

Set up Certificate Validation for each domain on the Outbound TLS settings page, under the heading “Domain-Specific Setting for Outbound TLS.”

To set up Certificate Validation:
1.
2.
3.

Scope of Certificate Validation

Certificate Validation examines SSL certificates to verify a recipient’s identity. The standard that defines TLS, RFC 2487, states clearly that the possibility of multiple hops during email delivery makes TLS certificates unsuitable for authenticating a sender's identity (inbound messages).

To comply with the standard, Certificate Validation authenticates the recipient’s identity for only outbound Policy Enforced TLS. Certificate Validation is not used for inbound mail because the RFC standards do not support this use.

Certificate Validation Settings

Certificate Verification is a powerful tool to protect your secure connection from spoofing and invalid certificates. However, it also will interrupt mail flow if the recipient’s certificate is not set up correctly. If protection from spoofing and invalid certificates is not a major concern, use Encrypt Only. Use Certificate Verification if you wish to set up regular, ongoing secure connections with a specific partner for extremely sensitive information.

Note: If you set up Certificate Validation, be sure to set up TLS Alerts as well, so you will know if a problem occurs. For more information, see TLS Alerts.

Certificate Validation settings are described below.

Encrypt Only

Behavior: Policy Enforced TLS obtains the keys from the Server Certificate, extracts the keys, completes the TLS handshake, and begins the encrypted session. No further verification takes place. Errors that prevent key extract will result in a bounced connection, but any other certificate-related errors are ignored.

Recommendations: This setting provides the most reliable delivery of encrypted mail, and is recommended in most cases. Use if you wish to allow a TLS connection even with malformed or out-of-date certificates. This setting allows encrypted communication even if the recipient’s certificate is invalid, as long as the certificate is functional.

Verify Cert

Behavior: Confirm that the certificate has proper form and syntax. Ensures that certificates are valid, but provides no protection against spoofing. Policy Enforced TLS ends the session if any certificate errors occur, but allows an out of date certificate, self-signed certificate, or certificate from an unknown trust.

Recommendations: This setting can be used to detect any problems with the TLS certificate. If you wish to block malformed certificates, and detect any certificate problems, use this setting. This setting provides increased verification, but may stop some outbound mail.

Check Trust

Behavior: In addition to the certificate tests in Verify Cert, also verifies that the certificate is from a known valid Certificate Authority. Does not allow a self-signed certificate or certificate from an unknown trust. Requires a complete certificate chain. Will also block any certificate linked to an IP address instead of a hostname. Ends the mail session if the trust check fails.

Recommendations: This is a very stringent setting and can cause problems with outbound mail flow to the recipient if the recipient’s certificate is not properly prepared. Contact your recipient before you use this setting, and send at least a few trial messages to test that mail flow is not interrupted. This setting provides secure delivery and protection against spoofing, but may interrupt delivery if the certificate is not signed properly.

Check Domain

Behavior: In addition to the certificate tests in Verify Cert and Check Trust, also confirms that the domain in the certificate matches the domain of the server host. If there is a wildcard in the domain certificate, the recipient’s domain must match the wildcard. Will also block any certificate linked to an IP address instead of a hostname. Ends the session if the domain check fails.

Recommendations: This is the most stringent setting and will cause outbound mail to fail if the domain in the certificate does not match the domain of the recipient’s mail server. Contact your recipient before you use this setting, and send at least a few trial messages to test that mail flow is not interrupted. Be aware that mislabeled domains in TLS certificates are not uncommon; if your recipient is using a different domain name in certificates, mail flow will be interrupted. This setting provides the most secure delivery and protection against spoofing, but has a high risk of mail flow interruption.

Change the Default Certificate Validation Setting

You can change the default setting as well. When you add a new domain to Policy Enforced TLS, it will use this Certificate Validation setting.

To change the default Certificate Validation setting

Go to Outbound TLS settings in the Administration Console.

1.
2.
*
Related Topics
*
*
*
*
Print Previous Next