Contents

Related Topics

IMAP-Proxy: TLS

Transport Layer Security (TLS) provides additional data security for IMAP. The TLS protocol provides communications security over the Internet and allows client/server applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery. The TLS protocol is based on the SSLv3 protocol but offers improved data security.

TLS for IMAP-Proxy is supported in Fireware OS v12.1 and higher.

Enable Content Inspection

To enable content inspection, select an option from the TLS Support drop-down list. The port list is updated based on the configured TLS Support option.

  • Disabled — IMAP proxy listens on port 143 only
  • Enabled — IMAP proxy listens on ports 143 and 993 (default)
  • Required — IMAP proxy listens on port 993 only

You can only configure TLS settings when TLS Support is set to Enabled or Required. For more information about the IMAP policy properties, see About Policy Properties.

IMAP Proxy Action Settings

In the Content Inspection Settings dialog box, you can configure these settings:

Screen shot of the TLS settings for an IMAP proxy action in Fireware Web UI

Screen shot of the TLS settings in an IMAP proxy action in Policy Manager

Screen shot of the TLS settings for an IMAP proxy action in Policy Manager

Content Inspection Summary

To view the settings for a TLS profile, select a TLS profile from the drop-down list

  • SSLv3 — Shows whether SSLv3 is enabled or disabled for that TLS profile.
  • OCSP — Shows whether OCSP is set to disabled, lenient, or strict for that TLS profile.
  • PFS Ciphers — Shows whether PFS Ciphers is set to allowed, required, or none for that TLS profile.
  • SSL Compliance — Shows whether SSL Compliance is enforced or not enforced for that TLS profile.

Action

The options for TLS in an IMAP proxy action:

  • Allow — Select this option to allow the packet to go to the recipient, even if the content contains a virus.
  • Inspect — Select this option to inspect the packet before sending to recipient.

Policy TLS Settings

TLS Settings apply only to policies that have TLS Support enabled or required. Some policies with this proxy action might have TLS Support disabled. TLS Support can be set to Enabled or Required on the IMAP policy Properties tab. For more information about the IMAP policy properties, see About Policy Properties.

Click View to see each policy and verify whether TLS Support is enabled for that policy.

Clone or Edit TLS Profile

Clone or Edit TLS Profile allows you to configure the settings for the TLS profile. For more information about cloning or editing predefined and user-defined proxy actions, see About Proxy Actions

Allow SSLv3

SSLv3 and TLSv1 are protocols used for secure connections. SSLv3 is not as secure as TLSv1. By default, the IMAP proxy only allows connections that negotiate the TLSv1 protocol. If your users connect to client or server applications that only support SSLv3, you can configure the IMAP proxy to use SSLv3 for connections to these websites.

To enable SSLv3, select the Allow SSLv3 check box. This option is disabled by default.

Enabling SSLv3 increases the vulnerability of your network. SSLv3 should only be enabled for a specific need such as backwards compatibility of legacy systems on internal networks.

Allow only TLS-compliant traffic

This option enables the IMAP proxy policy to allow only traffic that is compliant with the TLS 1.0, TLS 1.1, TLS 1.2 protocols.

Only TLS protocol messages that adhere to TLS standards that are considered secure and can be interpreted by the IMAP proxy. This option is automatically enabled when you enable content inspection.

When content inspection is enabled and TLS compliant traffic establishes a secure tunnel through the IMAP proxy, if the tunneled traffic does not use a valid TLS protocol, the IMAP proxy action used for inspection prompts the Firebox to send a log message about the errors and drop the traffic. If content inspection is disabled, the IMAP proxy listens on port 443 only.

For more information on how to enable content inspection, see IMAP-Proxy: TLS.

Use OCSP to validate certificates

This option applies only to client proxy actions. Server proxy actions do not validate certificates.

Select this check box to enable your Firebox to automatically check for certificate revocations with OCSP (Online Certificate Status Protocol). When this feature is enabled, your Firebox uses information in the certificate to contact an OCSP server that keeps a record of the certificate status. If the OCSP server responds that the certificate has been revoked, your Firebox disables the certificate.

If you select this option, there can be a delay of several seconds while your Firebox requests a response from the OCSP server. The Firebox retains 300 and 3000 OCSP responses in a cache to improve performance for frequently visited websites. The number of responses stored in the cache is determined by your Firebox model.

This option implements a Lenient OCSP policy. If the OCSP server cannot be contacted for any reason and does not send a response, the Firebox does not disable the certificate or break the certificate chain. Only revoked certificates are considered invalid.

The OCSP specification defines the following definitive response indicators for use in the certificate status value:

  • Good — This state indicates a positive response to the status inquiry. At a minimum, this positive response indicates that no certificate with the requested certificate serial number currently within its validity interval is revoked. This state does not necessarily mean that the certificate was ever issued or that the time at which the response was produced is within the certificate's validity interval. Response extensions may be used to convey additional information on assertions made by the responder regarding the status of the certificate, such as a positive statement about issuance, validity, etc.
  • Revoked — This state indicates that the certificate has been revoked, either temporarily (the revocation reason is certificate Hold) or permanently. This state MAY also be returned if the associated CA has no record of ever having issued a certificate with the certificate serial number in the request, using any current or previous issuing key (referred to as a "non-issued" certificate in this document).
  • Unknown — This state indicates that the responder doesn't know about the certificate being requested, usually because the request indicates an unrecognized issuer that is not served by this responder.

If a certificate cannot be validated, the certificate is considered invalid

When this option is enabled, the Firebox enforces a Strict OCSP policy. If an OCSP responder does not send a response to a revocation status request, your Firebox considers the original certificate as invalid or revoked. This option can cause certificates to be considered invalid if there is a routing error or a problem with your network connection. Only certificates with a good response indicator are considered valid.

Perfect Forward Secrecy Ciphers

The IMAP proxy supports PFS-capable ciphers for TLS connections. Fireware supports only Elliptic Curve Ephemeral Diffie-Hellman (ECDHE) ciphers for PFS.

To control whether the Firebox uses PFS-capable ciphers, choose one of these options:

  • None — The Firebox does not advertise or select PFS-capable ciphers.
  • Allowed — The Firebox advertises and selects both PFS-capable and non-PFS-capable ciphers.
  • Required— The Firebox advertises and selects only PFS-capable ciphers.

The setting you select applies to both client and server side TLS connections. When this option is set to Allowed, the client does not use a PFS-cipher unless the server also uses one.

Perfect Forward Secrecy Ciphers require significant resources and can impact system performance on Firebox T10, T15, T30, T35, T50, XTM 25, XTM 26, and XTM 33 devices.

The cipher name used for client/server TLS sessions appears in the IMAP content inspection traffic log messages generated by the Firebox. For more information about log messages, see Types of Log Messages.

Screen shot of the Clone / Edit TLS Profile dialog in Fireware Web UI

Screen shot of the Clone / Edit TLS Profile dialog in Fireware Web UI

Screen shot of the Edit TLS Profile dialog in Policy Manager

Screen shot of the Edit TLS Profile dialog in Policy Manager

See Also

About Proxy Actions

About the IMAP-Proxy

Give Us Feedback     Get Support     All Product Documentation     Technical Search