SMTP-Proxy: TLS Encryption

You can configure the SMTP-proxy to use TLS encryption to process email sent from a client email server (the sender) to your SMTP server (the recipient). SMTP over TLS is a secure extension to the SMTP service that allows an SMTP server and client to use TLS (transport-layer security) to provide private, authenticated communication over the Internet. For SMTP, this usually involves the use of STARTTLS keywords. TLS encryption settings for the SMTP-proxy have two configurable parts: when to use encryption (sender or recipient channel) and how to encrypt (SSL or TLS protocol and certificate type). You can use these settings to specify the encryption settings for incoming traffic (sender email), for traffic from your SMTP server (the recipient), or both.

About TLS Encryption

SSLv3, SSLv2, and TLSv1 are all protocols used for encrypted SMTP connections. SSLv2 is not as secure as SSLv3 and TLSv1. When you enable TLS encryption, by default, the SMTP-proxy only allows connections that negotiate the TLSv1 protocol. You can, however, allow the SMTP-proxy to use the SSLv3 and SSLv2 protocols for connections to and from SMTP clients or servers that require these protocols.

About OCSP Options

You can also choose whether to use OCSP (Online Certificate Status Protocol) to validate certificates. If you enable this option, your XTM device automatically uses OCSP to check for certificate revocations. When this feature is enabled, the XTM device uses information in the certificate to contact an OCSP server that keeps a record of the certificate status. If the OCSP server responds that the certificate has been revoked, the XTM device disables the certificate. This process can cause a delay of several seconds, while the XTM device requests a response from the OCSP server. The XTM device keeps between 300 and 3000 OCSP responses in a cache to improve performance for frequently accessed hosts. The number of responses stored in the cache is determined by your XTM device model.

When you use OCSP to validate certificates, you can also specify whether certificates that cannot be validated are considered valid. If you specify that invalidated certificates are invalid, and if an OCSP responder does not send a response to a revocation status request, the XTM device considers the original certificate as invalid or revoked. This option can cause certificates to be considered invalid if there is a routing error or a problem with your network connection.

About Encryption Rules

After you enable TLS encryption for your SMTP proxy action, you add rules to specify the sender and recipient domains, and the required encryption details for each domain. When you add rules to the Encryption Rules list, the rules are evaluated in order from the first rule to the last rule in the list. Make sure to put your rules in an order that provides the most flexibility. For example, if you have more than one SMTP server domain, put the rule for your primary SMTP server first in the list, with rules for any backup SMTP servers lower in the list.

When you add encryption rules, you can create rules for specific sender and recipient domains. Or, to create a global rule, you can use a wildcard character (*) for either the sender or recipient domain. You can specify encryption rules for the sender channel, for the recipient channel, or both. This enables you to set different encryption rules for specific domains that send email to your SMTP server. Each encryption rule must be 200 bytes or less in length.

Sender Encryption

Recipient Encryption

If you do not want to add rules for more than one domain, you can set the Sender Encryption to Optional, Recipient Encryption to Preferred, and use the wildcard character (*) for the domain information. With these encryption settings, most email is safely sent to your SMTP server.

If your users connect to your network over a public Internet connection, we recommend that you select Required for the Sender Encryption setting. If your SMTP server does not support encryption, we recommend that you select Optional, because email that is not encrypted can still be accepted.

If your users send email to your SMTP server through your protected corporate intranet, you have the most flexibility if you set Sender Encryption to Optional and Recipient Encryption to None.

If you add a rule that always requires traffic from a sender domain to be encrypted, you can also specify that a TLS protocol must be used for the recipient, sender, and body information in the email message.

Configure TLS Encryption Settings

When you create a new configuration file, you must enable the deep inspection of SMTP with TLS option in the SMTP proxy action before you can configure the settings for TLS encryption. If your configuration file already has deep inspection of SMTP with TLS enabled, you can simply complete the configuration settings for TLS encryption.

To enable TLS encryption and configure the rules for an SMTP proxy action:

  1. On the Edit page for the proxy, select the Proxy Action tab.
  2. From the ESMTP drop-down list, select TLS Encryption.
    The TLS Encryption page appears.

Screen shot of the TLS Encryption settings

  1. Select the Enable deep inspection of SMTP with TLS check box.
  2. To enable the SMTP-proxy to use the SSLv3 and SSLv2 protocols, select the Allow SSLv3 and Allow SSLv2 check boxes.
  3. (Optional) Select the Use OCSP to validate certificates check box.
  4. To specify how certificates that cannot be validated are processed, select the If a certificate cannot be validated, the certificate is considered invalid check box.
  5. To add encryption rules, in the Rules section, click Add.
    A new encryption rule appears in the Encryption Rules list.
  6. In the To Recipient Domain text box, type the domain name for your SMTP server and press Enter on your keyboard.
  7. To specify the domain that client traffic can come from, double-click the default From Sender Domain value, *, type a new value in the text box, and press Enter on your keyboard.
    To allow traffic from any domain, keep the default value of *.
  8. To change the Recipient Encryption value, click the default selection, Preferred, and select an option from the drop-down list:
  9. To change the Sender Encryption value, click the default selection, Optionally Encrypted, and select an option from the drop-down list:
  10. To change the order that rules are applied, select a rule in the Encryption Rules list, and click Up or Down.
  11. To disable a rule in the list, clear the Enabled check box for that rule.
  12. To delete a rule from the list, click Remove.
  13. To require the TLS protocol to be used for encrypted sender traffic, select the When sender encryption is required, TLS must be used for the sender, recipient, and body information check box.
    This option is only available if you configure a rule with a Sender Encryption setting of Always Encrypted.
    For more information about proxy action rules, see Add, Change, or Delete Rules.
  14. To change settings for another category in this proxy action, see the topic for that category.
  15. Click Save.

If you modified a predefined proxy action, when you save the changes you are prompted to clone (copy) your settings to a new action.

For more information on predefined proxy actions, see About Proxy Actions.

See Also

About the SMTP-Proxy

Give Us Feedback  •   Get Support  •   All Product Documentation  •   Knowledge Base