SMTP-Proxy: STARTTLS Encryption

Transport Layer Security (TLS) provides additional data security for SMTP. The TLS protocol provides communications security over the Internet and allows client and server applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery. The TLS protocol is based on the SSLv3 protocol but provides improved data security.

The SMTP Proxy supports both implicit and explicit TLS. For information about implicit and explicit TLS, go to About Transport Layer Security (TLS).

In the SMTP proxy action, the STARTTLS Encryption settings are for explicit TLS and the TLS settings are for implicit TLS

For information about how to configure implicit TLS in the SMTP proxy, go to SMTP-Proxy: TLS.

About STARTTLS Encryption

You can configure the SMTP-proxy to use explicit TLS encryption to process email sent from a client email server (the sender) to your SMTP server (the recipient). SMTP over TLS is a secure extension to the SMTP service that allows an SMTP server and client to use TLS to provide private, authenticated communication. For explicit TLS, this usually involves the use of STARTTLS keywords. TLS encryption settings for the SMTP-proxy have two configurable parts: when to use encryption (sender or recipient channel) and how to encrypt traffic (SSL or TLS protocol and certificate type). You can use these settings to specify the encryption settings for incoming traffic (sender email), for traffic from your SMTP server (the recipient), or both.

Log messages generated by the SMTP proxy include the version of TLS encryption used.

ESMTP is required for explicit TLS encryption. If you disable ESMTP in the SMTP proxy action, STARTTLS encryption is automatically disabled in the proxy action. For more information, go to SMTP-Proxy: ESMTP Settings.

About STARTTLS Encryption for SMTP in Fireware v12.1.x or Lower

In Fireware v12.1.x you configure TLS settings for explicit SMTP content inspection in the SMTP proxy action, not in a TLS profile. If you use Policy Manager v12.2 or higher to manage a Firebox that runs a version of Fireware that does not support TLS profiles for the SMTP proxy, you configure the content inspection settings in a TLS profile in Policy Manager. When you save the configuration to the Firebox, or use the File > Save > As Version command to save the configuration for a lower Fireware version, Policy Manager automatically changes the configuration to be compatible with the lower version of Fireware.

About Certificates for TLS Encryption

When content inspection is enabled, the proxy action uses a certificate when it re-encrypts the traffic after inspection.

  • For inbound traffic, the proxy action uses the default Proxy Server certificate.
  • For outbound traffic, the proxy action uses the Proxy Authority certificate.

For more information about these certificates, go to About Certificates.

About Encryption Rules

After you enable TLS encryption for your SMTP proxy action, you add rules to specify the sender and recipient domains, and the required encryption details for each domain. When you add rules to the Encryption Rules list, the rules are evaluated in order from the first rule to the last rule in the list. Make sure to put your rules in an order that provides the most flexibility. For example, if you have more than one SMTP server domain, put the rule for your primary SMTP server first in the list, with rules for any backup SMTP servers lower in the list.

When you add encryption rules, you can create rules for specific sender and recipient domains. Or, to create a global rule, you can use a wildcard character (*) for either the sender or recipient domain. You can specify encryption rules for the sender channel, for the recipient channel, or both. This enables you to set different encryption rules for specific domains that send email to your SMTP server. Each encryption rule must be 200 bytes or less in length.

Sender Encryption

  • Required — The sender SMTP server must negotiate encryption with the Firebox.
  • None — The Firebox does not negotiate encryption with the sender SMTP servers.
  • Optional — The sender SMTP server can negotiate encryption with the receiver SMTP server. TLS encryption depends on the encryption capabilities and settings of the receiver SMTP server.

Recipient Encryption

  • Required — The Firebox must negotiate encryption with the recipient SMTP server.
  • None — The Firebox does not negotiate encryption with the recipient SMTP server.
  • Preferred — The Firebox tries to negotiate encryption with the recipient SMTP server.
  • Allowed — The Firebox uses the behavior of the sender SMTP server to negotiate encryption with the recipient SMTP server.

If you do not want to add rules for more than one domain, you can set the Sender Encryption to Optional, Recipient Encryption to Preferred, and use the wildcard character (*) for the domain information. With these encryption settings, most email is safely sent to your SMTP server.

If your users connect to your network over a public Internet connection, WatchGuard recommends that you select Required for the Sender Encryption setting. If your SMTP server does not support encryption, WatchGuard recommends that you select Optional, because email that is not encrypted can still be accepted.

If your users send email to your SMTP server through your protected corporate intranet, you have the most flexibility if you set Sender Encryption to Optional and Recipient Encryption to None.

If you add a rule that always requires traffic from a sender domain to be encrypted, you can also specify that a TLS protocol must be used for the recipient, sender, and body information in the email message.

Configure STARTTLS Encryption Settings

To enable TLS encryption and configure the rules for an SMTP proxy action:

  1. In the SMTP proxy action settings, select ESMTP > STARTTLS Encryption.

Screen shot of the TLS Encryption settings
SMTP-Proxy Action TLS encryption configuration in Fireware Web UI

Screen shot of the SMTP Proxy Action Configuration dialog box, TLS Encryption page
SMTP-Proxy Action TLS encryption configuration in Policy Manager

  1. Select the Enable STARTTLS for Content Inspection check box.
  2. From the TLS Profile drop-down list, select the TLS profile to use.
    The settings for the selected profile appear in the Content Inspection Summary.
  3. To edit the TLS profile in Fireware Web UI, click Edit. To edit the TLS profile in Policy Manager, click . Predefined TLS profiles are not editable. To change the predefined TLS settings, click Clone to make an editable copy of the TLS profile.
  4. Configure the TLS Profile settings as required for your network. For more information, go to Configure TLS Profiles.
  5. To add encryption rules, in the Rules section, click Add.
    A new encryption rule appears in the Encryption Rules list.
  6. In the To Recipient Domain text box, type the domain name for your SMTP server and press Enter.
  7. To specify the domain that client traffic can come from, in the From Sender Domain column, double-click the default setting (*), type a new setting in the text box, and press Enter on your keyboard.
    To allow traffic from any domain, keep the default setting (*).
  8. To change the Recipient Encryption option, click the default setting (Preferred), and select an option from the drop-down list.
  9. To change the Sender Encryption option, click the default setting, (Optionally Encrypted), and select an option from the drop-down list.
  10. To change the order that rules are applied, select a rule in the Encryption Rules list, and click Up or Down.
  11. To disable a rule in the list, clear the Enabled check box for that rule.
  12. To delete a rule from the list, click Remove.
  13. To require the TLS protocol to be used for encrypted sender traffic, select the When sender encryption is required, TLS must be used for the sender, recipient, and body information check box.
    This option is only available if you configure a rule with a Sender Encryption setting of Always Encrypted.
    For more information about proxy action rules, go to Add, Change, or Delete Rules.
  14. To change settings for another category in this proxy action, see the topic for that category.
  15. Save the configuration.

If you modified a predefined proxy action, when you save the changes you are prompted to clone (copy) your settings to a new action.

For more information on predefined proxy actions, go to About Proxy Actions.

Related Topics

About the SMTP-Proxy