Introduction to configuring email security using TLS

The following is a sample workflow for setting up inbound TLS from an external domain. It's recommended that when setting up your TLS inbound configuration, you start with the weakest validation and progress to a stronger validation iteratively to ensure that your configuration works as you expect.

Starting with opportunistic TLS

1. Set up opportunistic TLS. You need to enable this globally following the instructions in Enable TLS communication. If you've previously set this for your outbound TLS configuration, this requires no further change.
2. Set up the appropriate signing and client certificates. For more information on the required TLS certificates and keys, refer to Required TLS certificates and keys.
3. Have a message sent to you and look in Messages > Track Messages to see if the message was received correctly and whether TLS was used.
4. You may need to speak to the administrator of the external domain to notify them of the certificates you have in use, if the opportunistic TLS connection fails.

Transitioning to mandatory TLS

These instructions follow on from the step list above.

1. Create a new Connection Profile, using the instructions in How do I create a Connection Profile?.
2. Set up either a list of client hosts or sender domain names. Refer to How do I add a client host? or How do I add a sender domain? for more information. Setting up client hosts is particularly easy for internal communication, where the list of IP addresses is known. For external communication, you may find configuration easier using sender domains.
3. When the connection profile has the client hosts or sender domains configured, enable mandatory TLS connections for the profile. Set the encryption strength and the client certificate validation method. Refer to How do I apply TLS settings to an Inbound Connection? for more information on these settings.
4. Experiment with these settings, using the weakest configuration first. If the message is received successfully, adjust the settings in step three as many times as you require until you are satisfied with the strength of the TLS configuration.

Adjusting the client certificate validation using Common Name (CN) matching may require negotiation with the administrator of the external domain. Refer to Example: Wildcard matching for more information.

The following is a sample workflow for setting up outbound TLS to an external domain. It's recommended that when setting up your TLS outbound configuration, you start with the weakest validation and progress to a stronger validation iteratively to ensure that your configuration works as you expect.

Starting with opportunistic TLS

1. Set up opportunistic TLS. You need to enable this globally following the instructions in Enable TLS communication. If you've previously set this for your inbound TLS configuration, this requires no further change.
2. Set up the appropriate signing and client certificates. For more information on the required TLS certificates and keys, refer to Required TLS certificates and keys.
3. Send a message and look in Messages > Track Messages to see if the message was delivered correctly and whether TLS was used.
4. If the message has gone through, you may want to switch to mandatory TLS to strengthen your TLS configuration.

Transitioning to mandatory TLS

These instructions follow on from the step list above.

1. Create a new Connection Profile, using the instructions in How do I create a Connection Profile?.
2. Enable mandatory TLS connections for the profile, choose a level of cipher strength and set the certificate validation method. For more information on these settings refer to How do I apply TLS settings to an Outbound Connection?.
3. Experiment with these settings, using the weakest configuration first. If the message delivery is successful, adjust the settings in step two as many times as you require until you are satisfied with the strength of the TLS configuration.
4. Go to System > SMTP Settings > Mail Domains and Routing to set up the email route, using the Connection Profile you've created for TLS configuration. For more information on setting up an email route, refer to Specifying Routing of Email.