Messaging Gateway

 View Only

  • 1.  SMG 9.5: TLS implementation

    Posted Sep 06, 2013 12:50 AM

    Hi All,

     

    For TLS implementation, let say only for 1 domain.

     

    1) We have to give them our cert then they will pass their cert also right?

     

    2) Also if we have IronPort as MX holder infront of SBG, do we need to installe cert into SBG too?

     

     

    Thanks!



  • 2.  RE: SMG 9.5: TLS implementation

    Posted Sep 06, 2013 03:44 PM

    1) Client certificates are optional for TLS typically only the server doing the are accepting the message has the TLS certificate. The receiving server will advertise STARTLS as an available command at start of the ESTMP converstation. No client/sender certificate is required.

    2) If the IronPort is accepting the entire message from the internet via TLS you will not need the SMG to do TLS as the senders won't be communicating with the SMG.



  • 3.  RE: SMG 9.5: TLS implementation

    Posted Sep 09, 2013 01:04 AM

    Hi BenDC,

    Thanks for the reply!

    1) What i meant is the CA cert for mta:

    say in my case for outbound delivery.. it's from Outbound SBG then to Internet... do we need to install the CA cert into this Outbound SBG and pass the copy to our customer?

     

    2) Means that after the email pass the IronPort, it would be transparent to the SBG?

    All those forced TLS setting for specific domain would need to configure inside the IronPort right?



  • 4.  RE: SMG 9.5: TLS implementation

    Posted Sep 09, 2013 09:36 AM

    1) It is not required to have a certificate to send messages outbound with TLS. TLS is a function of the receiving system.

    2) If the IronPort is accepting the messages from the senders via TLS then the IronPort would need to be confiugred. Also if the IronPort is sending the messages to the internet it would likely need to be configured to attempt TLS if the reciveing server advertises TLS.



  • 5.  RE: SMG 9.5: TLS implementation

    Posted Sep 17, 2013 11:14 PM

    1) Noted

     

    2) Noted too.... for outbound sender final gateway would be from SMG...architecture would be something like below:

     

    Incoming Email

    Internet --> IronPort --> Inbound SMG --> Exchange --> User

    *Basically if we configure TLS here... it would be only at IronPort right and i would be transparent to SMG?

     

    Outbound Email

    User --> Exchange --> Outbound SMG --> Internet

    *For Outbound... may need to configure attempt TLS at the SMG ?

     

    Thanks again!

     

     



  • 6.  RE: SMG 9.5: TLS implementation

    Posted Sep 18, 2013 09:33 AM

    Correct incoming would be the first system to accept mail from the internet, in this case the iron port.

     

    If you want the SMG send using TLS to domains on the internet. That would be administration -> configuration -> <select host> -> SMTP -> Advanced Settings -> Devliery -> Check "" and it will attempt to deliver via TLS if the receiving server advertises it can do TLS.

    SMTP Outbound on SMG would only accept messages via TLS from the exchange server.