IMAP-Proxy: STARTTLS

Transport Layer Security (TLS) provides additional data security for IMAP. The TLS protocol provides communications security over the Internet and allows client and server applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery. The TLS protocol is based on the SSLv3 protocol but provides improved data security. For information about TLS, see About Transport Layer Security (TLS).

The IMAP Proxy supports both implicit and explicit TLS. In the IMAP proxy action, the STARTTLS settings are for explicit TLS and the TLS settings are for implicit TLS. For information about how to configure implicit TLS in the IMAP proxy, see IMAP-Proxy: TLS.

You can enable both implicit and explicit TLS encryption in the same IMAP proxy action, but each connection uses only one encryption method. Connections on port 993 use implicit TLS encryption (IMAPS) and connections on port 143 use explicit TLS encryption (STARTTLS).

STARTTLS for the IMAP-proxy is supported in Fireware OS v12.3 and higher.

About STARTTLS in IMAP Proxy Actions

You can configure the IMAP-proxy to use explicit TLS encryption to process email sent from a client email server (the sender) to your IMAP server (the recipient). This allows the IMAP server and client to provide private, authenticated communication. For IMAP, explicit TLS involves the use of STARTTLS commands.

When STARTTLS is enabled in the IMAP proxy action, IMAP clients use the STARTTLS command to upgrade an IMAP connection to a secure channel and perform content inspection on the encrypted data. The encryption is end-to-end and there are not separate rules for sender and recipient encryption.

Log messages generated by the IMAP proxy include the version of TLS encryption used.

About Certificates for TLS Encryption

When content inspection is enabled for inbound IMAP over TLS traffic, the proxy uses a certificate to re-encrypt incoming traffic after it is decrypted for inspection. You can use the default Proxy Server certificate for this purpose. For more information, see About Certificates.

Configure STARTTLS Settings

To enable STARTTLS for an IMAP proxy action:

  1. In the IMAP proxy action settings, select Capabilities.

Screen shot of the STARTTLS settings

IMAP-Proxy Action STARTTLS configuration in Fireware Web UI

Screen shot of the IMAP Proxy Action Configuration dialog box, STARTTLS page

IMAP-Proxy Action STARTTLS configuration in Policy Manager

  1. Select the Enable STARTTLS for Content Inspection check box.
  2. From the TLS Profile drop-down list, select the TLS profile to use.
    The settings for the selected profile appear in the Content Inspection Summary.
  3. To edit the TLS profile in Fireware Web UI, click Edit. To edit the TLS profile in Policy Manager, click . Predefined TLS profiles are not editable. To change the predefined TLS settings, click Clone to make an editable copy of the TLS profile.
  4. Configure the TLS Profile settings as required for your network. For more information, see Configure TLS Profiles.
  5. To change settings for another category in this proxy action, see the topic for that category.
  6. Save the configuration.

If you modified a predefined proxy action, when you save the changes you are prompted to clone (copy) your settings to a new action.

For more information on predefined proxy actions, see About Proxy Actions.

Related Topics

Configure TLS Profiles

About Proxy Actions