Video Screencast Help

OK guys, how do you enforce TLS with Brightmail?

Created: 09 Apr 2013 • Updated: 09 Apr 2013 | 10 comments

It seems like the whole world has gone crazy with TLS enforce requirements.

 

We have been running with opportunistic TLS for ages, even before Brightmail and never thought twice about it.  We have other solutions for *real* email encryption.

 

Recently it seems many companies have "discovered" TLS and they think that this is some kind of a super-duper new tchnology. Some large companies even have entire departments dedicated to TLS.   And then they send us a long list of their domains to which they want us to enforce TLS, or else they won't do business with us.

 

So I go to Protocols/Domains and add their domains as non-local, with the require TLS option.

 

But eventually the list of domains there has grown quite large (170 entries currently). And now each time I go to Protocols/Domains, it takes a loooong time to display them.

 

But that's not the bad part. The bad part is that each time I add a new domain to the list (or edit an existing entry), I start getting alerts from our Brightmail scanner appliances saying that they crashed and/or a bad message was De-queued.

 

It seems Brightmail can only handle so few entries in the Protocols/Domains list before it starts throwing fits when you add one more entry.

Operating Systems:

Comments 10 CommentsJump to latest comment

TSE-JDavis's picture

The other option is to attempt TLS on all outbound emails. This is done under that scanner in Administration -> Configuration under the SMTP tab, Advanced Settings and then the Delivery tab. That takes all the guesswork out of it and as long as the recipient's mail server advertises TLS we will send the message using it.

ANDREY FYODOROV's picture

Oh, we have always had the opportunistic TLS for all outgoing email turned on.

 

But these people want us to Enforce TLS when communicating with them or else they won't do business with us.

TSE-JDavis's picture

I understand that, but as long as their mail servers advertise TLS we will deliver it that way. The only difference between the options is that the email will sit in the Delivery queue if we don't see STARTTLS advertised by their mail server.

ANDREY FYODOROV's picture

Fine, but they insist that we use Forced TLS to them. They don't want mail to be delivered at all if TLS cannot be established.    They don't want to play opportunistic TLS.

TSE-JDavis's picture

Regarding the slow performance, it sounds like you may be running into a resource issue. You may want to try running a repair on the database. This can be done at the command-line interface by running: cc-config database --repair.

Are you running this as a VM or on physical hardware? Are you sure that you are meeting our system requirements?

ANDREY FYODOROV's picture

Physical.  The control center is model 8380 and scanners are 8360.

We don't have any other performance issues per se.

Just this problem with adding new domains or modifying existing domains under Protocols/Domains.

TSE-JDavis's picture

Which version of the SMG software are you running? Also, which web browser are you using?

ANDREY FYODOROV's picture

Version 10.0.1

 

I use Google Chrome or IE. Shouldn't matter though.

TSE-JDavis's picture

It most certainly matters which browser. Chrome is not supported and may not load all of the elements of the page correctly. We get calls from people using Chrome that see all manner of strange UI behaviour and pop-up warnings that never show up. When using IE, I recommend you use the compatability mode.

I have never heard of customers experiencing slowness on the Domains page, but I have not heard of customers having that many non-local domain entries either. What were the results of the database repair?

ANDREY FYODOROV's picture

OK, I will take your word about Chrome, however I never had any problems with Chrome and Brightmail.

 

The repair ran briskly and OKed everything.

 

 

xxxxxxxxx01> cc-config database --repair
This operation may take an extended period of time, during which the Control Center will be unavailable.  You will not be able to cancel this operation.  Do you wish to proceed?  (yes/no) yes
brightmail.admin_compliance_folder                 OK
brightmail.admin_password_history                  OK
brightmail.admin_user                              OK
brightmail.compliance_informational                OK
brightmail.compliance_informational_delete_queue   OK
brightmail.compliance_informational_folder         OK
brightmail.compliance_migration_status             OK
brightmail.compliance_quarantine                   OK
brightmail.compliance_quarantine_delete_queue      OK
brightmail.compliance_quarantine_dlp               OK
brightmail.compliance_quarantine_recipient         OK
brightmail.custom_rule                             OK
brightmail.custom_rule_condition                   OK
brightmail.day_zero_message                        OK
brightmail.dlp_incident_update                     OK
brightmail.file_class                              OK
brightmail.file_type                               OK
brightmail.host                                    OK
brightmail.incident_audit_log                      OK
brightmail.installation                            OK
brightmail.log                                     OK
brightmail.log_action                              OK
brightmail.log_marker                              OK
brightmail.log_severity                            OK
brightmail.mail_transfer_event                     OK
brightmail.policy_annotation                       OK
brightmail.policy_archive                          OK
brightmail.policy_attachment                       OK
brightmail.policy_attachment_type                  OK
brightmail.policy_dictionary                       OK
brightmail.policy_dictionary_item                  OK
brightmail.policy_notification                     OK
brightmail.policy_pattern                          OK
brightmail.policy_record                           OK
brightmail.policy_record_field                     OK
brightmail.policy_record_view                      OK
brightmail.policy_record_view_field                OK
brightmail.policy_threat_track                     OK
brightmail.report_connection_classes               OK
brightmail.report_executive                        OK
brightmail.report_favorite                         OK
brightmail.report_incident_history                 OK
brightmail.report_invalid_rcpt                     OK
brightmail.report_invalid_rcpt_alias               OK
brightmail.report_invalid_rcpt_buffer
note     : The storage engine for the table doesn't support repair
brightmail.report_invalid_rcpt_domain              OK
brightmail.report_invalid_rcpt_summary             OK
brightmail.report_invalid_rcpt_timestamp           OK
brightmail.report_message                          OK
brightmail.report_policy                           OK
brightmail.report_policy_name                      OK
brightmail.report_policy_summary                   OK
brightmail.report_rcpt                             OK
brightmail.report_rcpt_alias                       OK
brightmail.report_rcpt_buffer
note     : The storage engine for the table doesn't support repair
brightmail.report_rcpt_domain                      OK
brightmail.report_reputation                       OK
brightmail.report_sender                           OK
brightmail.report_sender_alias                     OK
brightmail.report_sender_buffer
note     : The storage engine for the table doesn't support repair
brightmail.report_sender_domain                    OK
brightmail.report_sender_helo                      OK
brightmail.report_sender_ip_address                OK
brightmail.report_smtp_connection                  OK
brightmail.report_smtp_connection_address          OK
brightmail.report_smtp_login_failure               OK
brightmail.report_spam_summary                     OK
brightmail.report_total                            OK
brightmail.report_total_host                       OK
brightmail.report_virus                            OK
brightmail.report_virus_name                       OK
brightmail.report_virus_summary                    OK
brightmail.sender_group                            OK
brightmail.settings_address_masquerading           OK
brightmail.settings_agent                          OK
brightmail.settings_alert                          OK
brightmail.settings_alert_notification             OK
brightmail.settings_alias                          OK
brightmail.settings_ca_certificate_detail          OK
brightmail.settings_certificate                    OK
brightmail.settings_certificate_detail             OK
brightmail.settings_certificate_selection          OK
brightmail.settings_compliance                     OK
brightmail.settings_compliance_tmp                 OK
brightmail.settings_connection_class               OK
brightmail.settings_container                      OK
brightmail.settings_dds                            OK
brightmail.settings_dkim                           OK
brightmail.settings_dkim_domain                    OK
brightmail.settings_dlp_incident_update            OK
brightmail.settings_domain                         OK
brightmail.settings_domain_destination_host        OK
brightmail.settings_host_access_control            OK
brightmail.settings_log                            OK
brightmail.settings_message_queue                  OK
brightmail.settings_notification_template          OK
brightmail.settings_policy                         OK
brightmail.settings_probe                          OK
brightmail.settings_quarantine                     OK
brightmail.settings_report                         OK
brightmail.settings_scanner_replication            OK
brightmail.settings_scheduled_backups              OK
brightmail.settings_smtp_filter_host               OK
brightmail.settings_smtp_mgmt_host                 OK
brightmail.settings_spc                            OK
brightmail.settings_submissions                    OK
brightmail.settings_submitters_list                OK
brightmail.settings_system                         OK
brightmail.settings_user_pref                      OK
brightmail.site                                    OK
brightmail.spam_message_delete_audit_queue         OK
brightmail.spam_message_delete_queue               OK
brightmail.spam_message_release_audit              OK
brightmail.spam_message_summary                    OK
brightmail.spam_message_summary_from_addr_head     OK
brightmail.spam_message_summary_msg_id             OK
brightmail.spam_message_summary_subject            OK
brightmail.status                                  OK
brightmail.status_component_crash                  OK
brightmail.status_jlu                              OK
brightmail.status_record                           OK
brightmail.status_record_replication               OK
brightmail.status_rule_update                      OK
brightmail.status_scheduled_task                   OK
brightmail.status_user_pref                        OK
brightmail.status_version                          OK
brightmail.status_watchdog                         OK
brightmail.user                                    OK
brightmail.user_spam_message                       OK
brightmail.user_spam_message_to_addr_env           OK
brightmail.user_token                              OK
brightmail.virus_exclude                           OK
brightmail.virus_exclude_item                      OK
brightmail.web_service_client                      OK
xxxxxxxxx01>