Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

SMG 9.5: TLS implementation

Created: 05 Sep 2013 | 5 comments
cus000's picture

Hi All,

For TLS implementation, let say only for 1 domain.

1) We have to give them our cert then they will pass their cert also right?

2) Also if we have IronPort as MX holder infront of SBG, do we need to installe cert into SBG too?

Thanks!

Operating Systems:

Comments 5 CommentsJump to latest comment

BenDC's picture

1) Client certificates are optional for TLS typically only the server doing the are accepting the message has the TLS certificate. The receiving server will advertise STARTLS as an available command at start of the ESTMP converstation. No client/sender certificate is required.

2) If the IronPort is accepting the entire message from the internet via TLS you will not need the SMG to do TLS as the senders won't be communicating with the SMG.

cus000's picture

Hi BenDC,

Thanks for the reply!

1) What i meant is the CA cert for mta:

say in my case for outbound delivery.. it's from Outbound SBG then to Internet... do we need to install the CA cert into this Outbound SBG and pass the copy to our customer?

2) Means that after the email pass the IronPort, it would be transparent to the SBG?

All those forced TLS setting for specific domain would need to configure inside the IronPort right?

BenDC's picture

1) It is not required to have a certificate to send messages outbound with TLS. TLS is a function of the receiving system.

2) If the IronPort is accepting the messages from the senders via TLS then the IronPort would need to be confiugred. Also if the IronPort is sending the messages to the internet it would likely need to be configured to attempt TLS if the reciveing server advertises TLS.

cus000's picture

1) Noted

2) Noted too.... for outbound sender final gateway would be from SMG...architecture would be something like below:

Incoming Email

Internet --> IronPort --> Inbound SMG --> Exchange --> User

*Basically if we configure TLS here... it would be only at IronPort right and i would be transparent to SMG?

Outbound Email

User --> Exchange --> Outbound SMG --> Internet

*For Outbound... may need to configure attempt TLS at the SMG ?

Thanks again!

BenDC's picture

Correct incoming would be the first system to accept mail from the internet, in this case the iron port.

If you want the SMG send using TLS to domains on the internet. That would be administration -> configuration -> <select host> -> SMTP -> Advanced Settings -> Devliery -> Check "Attempt TLS encryption for delivery of all messages" and it will attempt to deliver via TLS if the receiving server advertises it can do TLS.

SMTP Outbound on SMG would only accept messages via TLS from the exchange server.