Messaging Gateway

We are running SMG 953 and we have forced TLS between our domain and a few other domains.  We have recently had some concerns with senders adding additional recipients at a destination that does not accept TLS (we also have opportunistic TLS being used for all destinations). 

Our concern is that sensative information is being transfered across the internet with no encryption.  Is there a way to configure SMG to either strip the non 'forced TLS' recipients and notify the sender of the TLS violation -preferred, or drop the entire message and notify the sender of the TLS violation? 

Thanks in advance for any assistance,

If you are referring to external senders delivering messages to you, then there is no policy that could affect what occurred outside of your environment. Once the message is delivered to you, it would have already been delivered in the clear to other domains as well.

However, if you are referring to internal senders delivering to external domains, then you can use Content Filter policies to require TLS delivery for messages that the policy triggers on. That way, if a message triggers the policy and tries to deliver to a non-TLS connection, it will not deliver for non-TLS enabled domains.

You would do this by adding a Content Filtering Policy that has a Condition that will trigger on these messages and has an Action of "Deliver message with TLS encryption" and utilizes one of the Require options.

Unfortunately, there is no way for a Content Filtering policy to know if a receiving domain is TLS capable. This information is not determined until the delivery handshake has already started.

Good information !  Thank you.  I'm going to look into tresting this in our test environment to confirm that it allows the rest of our content rules to process and works as we would expect.  Thank you again! I'll update with my findings and progress.