Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

How to enable TLS encryption to all outbound emails by default

Created: 23 Aug 2012 • Updated: 16 Jan 2013
Language Translations
toby's picture
+1 1 Vote
Login to vote

Problem

Currently when thinking of the basic approach of SMG when you need to enable TLS for all outbound emails you would need to specify a kind of * Domain as a non local domain and set it to TLS delivery.

Actually this don’t really work as you cant create a * domain to apply something like this to the “unknown”.

Furthermore you can apply per Scanner in place the TLS delivery attempt, what can be with a large number of Scanners intensive to configure while you also need to consider this in case of a restore.

In addition if you have some domains that shouldnt be included in the TLS delivery you would need to bind specific domains to use different Scanners for outbound. So its more a firm approach in enable/disable.

Solution

To anyway achieve the same goal you could create a Content Policy with the same effect. (Please be aware that a Content Policy like this will have an impact on your machine performance as depending on your “apply to”, every message will need to pass through.)

To create this policy click on Add and select a Blank Policy template.

Please specify the Policy name and select the Condition. In general you would need to apply it only to Outbound messages.

Now you would need to specify a condition. When you want to apply it to all messages, please use the “For all messages” switch. You can also apply different criteria for a different concept like using flags of a store backend system and only apply TLS when these criteria meet like having somewhere a content filter checking whether Financial data are included in this mail what would apply a TLS encryption.

Now as action you choose “Attempt TLS encryption” and add this action. Please be aware in case you set Require TLS, that when TLS fails the message will be bounced. The attempt TLS will prefer TLS if available but also send messages normally if the mail partner doesn’t use TLS for incoming emails.

The final Policy would look like this and you just need to apply this configuration to all the policy groups you want that TLS for delivery is used to make sure all your outbound emails are covered by this Policy.

After you saved the Policy it will be displayed in your Content Filter Policy.

Exceptions
What I don’t want to hide is that most likely a few companies have separated the TLS mailgateways from the standard inbound mailgateways, what will also needs to be delivered to a specific MX-Record and for this you may need to set a non local domain with a specific delivery MX-Record and attempt or even require TLS.