This document describes frequently asked questions about the configuration of Transport Layer Security (TLS) on the Email Security Appliance (ESA).
What is TLS?
As defined in RFC 3207, "TLS is an extension to the SMTP service that allows an SMTP server and client to use transport-layer security to provide private, authenticated communication over the Internet. TLS is a popular mechanism for enhancing TCP communications with privacy and authentication." The STARTTLS implementation on the ESA provides privacy through encryption. It allows you to import an X.509 certificate and private key from a certificate authority service, or use a self-signed certificate.
What is required to enable TLS on the ESA?
The following steps are necessary to enable TLS:
Install certificates on ESA
Enable TLS on the system for receiving, delivery, or both
Note: The ESA includes a demonstration certificate for testing purposes. The demo certificate is not secure and is not recommended for general use.
The following steps are necessary to require TLS from remote hosts communicating with your ESA public listener (Receiving). Enable TLS in the Host Access Table (HAT) of the listener that communicates with remote hosts:
Go to GUI: Mail Policies > Mail Flow Policies
Select the listener to which remote hosts will connect from the listener drop down menu on the Mail Flow Policies page.
Enable TLS on one or more Mail Flow Policies by clicking the policy name and checking the Use TLS check box at the bottom of the Edit Policy page.
The ESA mail logs contain entries for successful and failed TLS connections. You can use command line tools such as grep to search for specific log entries. You can also configure system alerts when TLS connections fail via the GUI: System Administration > Alerts page or the CLI alertconfig command.