Messaging Gateway

 View Only

  • 1.  Default to outbound TLS

    Posted Sep 21, 2011 03:37 PM

    Is it possible to configure SBG to default to opportunistic TLS for outbound e-mails, with specific domain settings over-riding (e.g. with verify etc) for select domains.  Could I set up a * domain with attempt TLS enabled?

    We are working with a 3rd party sending to us that has this setup.  Seems like a "good idea (TM)".

    Also,

    - any timeline on setting up TLS to be required on INBOUND connections? - e.g. vendor must use TLS to send to us.

    - when will TLS information show up in Message Audit Log detail data?



  • 2.  RE: Default to outbound TLS

    Posted Sep 22, 2011 10:58 AM

    Yes.

    On the Administration->Host Configuration->SMTP->SMTP Advanced Settings page, there is a checkbox.

    ""

     

    Also,

    As of 9.5 there is  a "Delivered with TLS" item in the message audit log.

     

    We do not audit reception of TLS, or currently enforce reception of TLS, howver there may be some options here using Content filters to be explored depending on the requirement, because the TLS verification information is stamped into the received headers before content filters are executed.

     

     

     

     

     


  • 3.  RE: Default to outbound TLS

    Posted Sep 22, 2011 10:59 PM

    Will this affect both directions of flow since it's on the Delivery tab?



  • 4.  RE: Default to outbound TLS

    Posted Sep 23, 2011 06:39 AM

    content filters offer the option to enforce receiving with TLS

     

    hosts - configuration - smtp - advanced offers the option to attempt TLS delivery for all delivery attempts. This then can be more ganularly controlled in the domain records



  • 5.  RE: Default to outbound TLS

    Posted Sep 23, 2011 11:35 AM

    Yes, this will affect inbound and outbound logical flow.



  • 6.  RE: Default to outbound TLS

    Posted Sep 23, 2011 02:31 PM

    I thought content filters could only require delivery with TLS, which of course applies to every recipient.

    The problem using content filters to check for inbound TLS is matching up the correct header, since the sender could have used TLS within their organization on the way to the edge.  I might see mulitple TLS headers. The compliance policy would need to correctly - match on the single header including one of my edge gateways and TLS and the correct sender domain.  Not sure I can write that regex!

    example:

    Received: from tems6a.external.com (tems6a.external.com  [1.2.3.4] ) (using TLS with cipher AES256-SHA (AES256-SHA/256 bits))  (Client did not present a certificate) by mygateway.example.com (mygateway.example.com) with SMTP id 5B.EE.30242.F370A7E4; Wed, 21 Sep 2011 15:48:15 +0000

    Received: from internalhop.external.com (internalhop.external.com  [10.9.8.6] ) (using TLS with cipher AES256-SHA (AES256-SHA/256 bits))  (Client did not present a certificate) by tems6a.external.com tems6a.external.com) with SMTP id abcxys4; Wed, 21 Sep 2011 15:47:15 +0000

    .. etc...