You can configure the SMTP-proxy to use TLS encryption to process email sent from a client email server (the sender) to your SMTP server (the recipient). SMTP over TLS is a secure extension to the SMTP service that allows an SMTP server and client to use TLS (transport-layer security) to provide private, authenticated communication over the Internet. For SMTP, this usually involves the use of STARTTLS keywords. TLS encryption settings for the SMTP-proxy have two configurable parts: when to use encryption (sender or recipient channel) and how to encrypt (SSL or TLS protocol and certificate type). You can use these settings to specify the encryption settings for incoming traffic (sender email), for traffic from your SMTP server (the recipient), or both.
SSLv3, SSLv2, and TLSv1 are all protocols used for encrypted SMTP connections. SSLv2 is not as secure as SSLv3 and TLSv1. When you enable TLS encryption, by default, the SMTP-proxy only allows connections that negotiate the TLSv1 protocol. You can, however, allow the SMTP-proxy to use the SSLv3 and SSLv2 protocols for connections to and from SMTP clients or servers that require these protocols.
You can also choose whether to use OCSP (Online Certificate Status Protocol) to validate certificates. If you enable this option, your XTM device automatically uses OCSP to check for certificate revocations. When this feature is enabled, the XTM device uses information in the certificate to contact an OCSP server that keeps a record of the certificate status. If the OCSP server responds that the certificate has been revoked, the XTM device disables the certificate. This process can cause a delay of several seconds, while the XTM device requests a response from the OCSP server. The XTM device keeps between 300 and 3000 OCSP responses in a cache to improve performance for frequently accessed hosts. The number of responses stored in the cache is determined by your XTM device model.
When you use OCSP to validate certificates, you can also specify whether certificates that cannot be validated are considered valid. If you specify that invalidated certificates are invalid, and if an OCSP responder does not send a response to a revocation status request, the XTM device considers the original certificate as invalid or revoked. This option can cause certificates to be considered invalid if there is a routing error or a problem with your network connection.
After you enable TLS encryption for your SMTP proxy action, you add rules to specify the sender and recipient domains, and the required encryption details for each domain. When you add rules to the Encryption Rules list, the rules are evaluated in order from the first rule to the last rule in the list. Make sure to put your rules in an order that provides the most flexibility. For example, if you have more than one SMTP server domain, put the rule for your primary SMTP server first in the list, with rules for any backup SMTP servers lower in the list.
When you add encryption rules, you can create rules for specific sender and recipient domains. Or, to create a global rule, you can use a wildcard character (*) for either the sender or recipient domain. You can specify encryption rules for the sender channel, for the recipient channel, or both. This enables you to set different encryption rules for specific domains that send email to your SMTP server. Each encryption rule must be 200 bytes or less in length.
If you do not want to add rules for more than one domain, you can set the Sender Encryption to Optional, Recipient Encryption to Preferred, and use the wildcard character (*) for the domain information. With these encryption settings, most email is safely sent to your SMTP server.
If your users connect to your network over a public Internet connection, we recommend that you select Required for the Sender Encryption setting. If your SMTP server does not support encryption, we recommend that you select Optional, because email that is not encrypted can still be accepted.
If your users send email to your SMTP server through your protected corporate intranet, you have the most flexibility if you set Sender Encryption to Optional and Recipient Encryption to None.
If you add a rule that always requires traffic from a sender domain to be encrypted, you can also specify that a TLS protocol must be used for the recipient, sender, and body information in the email message.
When you create a new configuration file, you must enable the deep inspection of SMTP with TLS option in the SMTP proxy action before you can configure the settings for TLS encryption. If your configuration file already has deep inspection of SMTP with TLS enabled, you can simply complete the configuration settings for TLS encryption.
To enable TLS encryption and configure the rules for an SMTP proxy action:
If you modified a predefined proxy action, when you save the changes you are prompted to clone (copy) your settings to a new action.
For more information on predefined proxy actions, see About Proxy Actions.
About the SMTP-Proxy