Video Screencast Help
Give us your opinion and win with Symantec! Please help us by taking this survey to tell us about your experience with Symantec Connect, so that we can continue to grow and improve.  Take the survey.

TLS encrypted SMTP connection

Created: 11 Jul 2013 | 7 comments


we are running two Symantec Email Gateways + one control center Version 10.0.1-2. I was requested to enable TLS encrypted SMTP connection to one our external partners.

So the communication is between our Scanners and an External MTA.

Is there any official guide to fullfill this?

Or can anybody explain me the steps which are necessary.

Thanks and regards

Operating Systems:
Discussion Filed Under:

Comments 7 CommentsJump to latest comment

BenDC's picture

To receive mail via TLS:

You will need to creat a Certificate Signing Request (CSR) on each Messaging Gateway that will be accepting mail via TLS. Purchase certificates from a Certificate Authority (CA). Then install the certificate and any intermediate certificates provided by the CA in the Symantec Messaging Gateway (SMG). Then once the certificate is installed you would select the certificate for use in inbound SMTP options for each host installed to.

Generation of a CSR and installation of certificates is done in Administration -> Certificates, installation of intermediate certificates is in the Certificate Authorty tab.

To set the MTA to accept message via TLS

Administration -> Configuration -> Select a host -> SMTP -> Inbound -> Check Accept TLS encryption, select the certificate for that host. Click Save.

To transmit using TLS:

You can tell Symantec Messaging Gateway to attempt to send via TLS for all messages in host delivery options.

Administration -> Configuration -> Select the host -> SMTP -> Advanced Settings -> Delivery -> Check Attempt TLS encrypteion for Delivery of all messages.

Click contiune then save.

Contonso's picture

Hi BenDC,

thanks for your reply.

Is there anything which I should consider when activating TLS encryption. I don't want to disturb any other incoming and outgoing traffic.

Just one further thing. We only will receive encrypted messages from our external partner. We will not send. Do we need to purchase a certificate by a CA in this scenario as well?

Thanks and regards.

BenDC's picture

Keep in mind with inbound TLS enabled anyone is able to request a TLS connection durring the SMTP converstation, so you cannot choose to specifically allow one sender or group of senders to send TLS.

Enabling TLS on its own will not prevent mail from coming in it is just an option to encrypt the communications, if TLS negoitaion fails it will fall back to a non encryption transmission.

That will depend on your external partners/senders, if their MTA will accept a cert that is not provided by a CA/Self Signed.

Sudhir K Mourya IBM's picture

Dear you can go through below link for better understading and enabling for inbound and outbound.

You can also use selfsign cetificate if you want.

its better to create a group for testing and use "Attempt TLS encryption for Delivery of all messages" option.



Contonso's picture

Hi Ben, hi Sudhir,

do you know if the Symantec message gateways support wildcard certificates? We are planning to buy certificates and we thoght it would make more sence to use wildcard certificates.

Is there any official info of symnatec that wildcard certificates are supported or not?


BenDC's picture

You can import a wildcard certificate however it typically requires modification of the certificate to allow it to be imported.

Installing Certificate Authority (CA) signed certificates without corresponding Certificate Signing Request (CSR) on Symantec Messaging Gateway (SMG)