SMTP-Proxy: TLS

Transport Layer Security (TLS) provides additional data security for SMTP. The TLS protocol provides communications security over the Internet and allows client and server applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery. The TLS protocol is based on the SSLv3 protocol but provides improved data security.

For more information about TLS, see About Transport Layer Security (TLS).

The SMTP Proxy supports both implicit and explicit TLS. In the SMTP proxy action, the TLS settings are for implicit TLS and the STARTTLS Encryption settings are for explicit TLS.

For information about how to configure explicit TLS in the SMTP proxy, see SMTP-Proxy: STARTTLS Encryption.

Implicit TLS in the SMTP-Proxy is supported in Fireware OS v12.2 and higher.

To enable TLS support in the SMTP-proxy policy, you must enable content inspection in the proxy action.

About Certificates for TLS Encryption

When content inspection is enabled, the proxy action uses a certificate when it re-encrypts the traffic after inspection.

  • For inbound traffic, the proxy action uses the default Proxy Server certificate.
  • For outbound traffic, the proxy action uses the Proxy Authority certificate.

For more information about these certificates, see About Certificates.

Change the TLS Support Option in the SMTP-Proxy Policy

To use implicit TLS for content inspection in the SMTP proxy action, TLS Support must also be Enabled or Required in the SMTP-proxy policy so that the SMTP proxy listens on port 465.

In the SMTP proxy policy, you can set TLS Support to one of these options:

  • Disabled — SMTP proxy listens on port 25 only
  • Enabled — SMTP proxy listens on ports 25 and 465 (default)
  • Required — SMTP proxy listens on port 465 only

Enable Content Inspection in the SMTP Proxy Action

To enable content inspection in the SMTP proxy, you must select the Inspect action in the TLS settings for the proxy action used by your SMTP-proxy policy. When you select the Inspect action, the proxy uses the settings in the TLS profile for content inspection. You can edit the TLS profile settings in the proxy action, or from the TLS Profiles page.

See Policy TLS Settings

For a proxy policy to perform content inspection, the TLS Support option in the proxy policy must be set to Enabled or Required. If you edit the TLS settings in a proxy action from the Proxy Actions list, the proxy action could apply to more than one policy. After you enable content inspection, make sure that TLS Support is set to Enabled or Required in all policies that use the proxy action.

To see the TLS Support setting for all policies that use the proxy action:

  1. Edit the proxy action from the Proxy Actions list.
  2. In the proxy action TLS settings, click View.
    A list of policies that use the proxy action appears, with the TLS Support setting for each policy.

 

Related Topics

Configure TLS Profiles

About the SMTP-Proxy

About Proxy Actions