Secure Delivery uses Transport Layer Security (TLS) technology, which protects confidentiality and data integrity by encrypting connections between servers. This ensures that mail is transmitted through a Secure Sockets Layer (SSL) encrypted tunnel, thereby reducing the risk of eavesdropping, interception, and alteration of messages as they are sent across the internet.
The Secure Delivery policy is applied when messages are delivered either:
- Inbound from Mimecast to your organization.
- Outbound from Mimecast to external recipients.
To use the TLS technology enabled by Mimecast Secure Delivery, you must have an SSL certificate from a Mimecast trusted public root certificate authority. This should be installed and configured on both the sending and receiving mail servers. Mimecast supports connections using TLS 1.2, 1.1 and 1.0 for AES-256, MD5, and AnonDHE.
Configuring a Secure Delivery Definition
To configure a Secure Delivery definition:
- Open the Gateway Policy Editor.
- Select the Definitions drop down. A list of the definition types is displayed.
- Select the Secure Delivery definition type from the list. The list of definitions is displayed.
Either select the:
- Policy to be changed.
- Select the Add Secure Delivery Definition button to add a new definition.If you had Secure Delivery policies configured before the 3.0.31 release of the Administration Console (mid July 2015) you will see definitions for each of your existing policies. These were migrated for you automatically by Mimecast.
- Complete the Secure Delivery definition as follows:
Field Description Description This is used to identify the definition when you come to apply it in a policy. Select Option Select one of the following delivery modes:
- Default: Uses Opportunistic TLS as described below.
- Opportunistic TLS: TLS is attempted first when sending an email. If it is not accepted by the remote mail server, it is delivered using standard SMTP.
- Enforced TLS: Email is only delivered if the remote mail server accepts TLS. If TLS is not configured, the connection drops and the email delivery is queued and retried.Ensure the recipient mail server(s) are configured to accept TLS messages if using this option. If they aren't, all emails delivered using this policy will fail. Mimecast recommends testing this communication before enforcing it across your entire organization.
- Enforced TLS - Fall back to Secure Messaging: TLS is attempted when sending an email. If it is not accepted by the remote mail server, it is delivered using Secure Message (if enabled on your account) or Secure Messaging - Lite.
- No TLS: Normal SMTP delivery (not encrypted).
Select one of the following encryption modes:
Mimecast strongly recommends using Strict - Trust Enforced mode for Secure Delivery policies. Relaxed mode should be considered only as a temporary solution. For example, when there is no opportunity to use a certificate with a publicly accessible trust chain.
- Strict - Trust Enforced: Used for public root certificates.
- Relaxed: Permits encryption with self-signed certificates and other valid certificates, which may not have a complete trust chain.
Allows you to select differently ordered SSL ciphers. This caters for remote systems that do not negotiate the most secure cipher, but use the first common cipher found. Select one of the following modes:
- Default: Negotiates 128 bit ciphers, followed by 256 bit ciphers and then followed by others (set by default).
- Weak: Same as Medium, with support for more lower bit ciphers.
- Medium: Same as Default, but includes additional lower bit ciphers.
- Strong: A mix of all supported 128 bit ciphers and higher, ordered from strongest to weakest.Mimecast recommends using this option. If this causes TLS handshake issues, review the SSL Mode options and select the next most suitable secure mode.
- Very Strong: A mix of supported (generally considered very strong) 128 bit ciphers and higher only, ordered from strongest to weakest.
- PFS Only: Supported Perfect Forward Secrecy (PFS) ciphers only, ordered from strongest to weakest.
- Click on the Save and Exit button.
Configuring a Secure Delivery Policy
To configure a Secure Delivery policy:
- Log on to the Administration Console.
- Click on the Administration menu item. A menu drop down is displayed.
- Click on the Gateway | Policies menu item.
- Click on Secure Delivery. A list of policies is displayed.
- Either select the:
- Policy to be changed.
- New Policy button to create a policy.
- Complete the Options section as required:
Option Description Policy Narrative Provide a description for the policy to allow you to easily identify it in the future. Secure Delivery
Click on the Lookup button to view the list of Secure Delivery definitions. Click on the Select button to the left of the required definition to add it.
- Complete the Emails From and Emails To sections as required:
Field / Option Description Addresses Based On Specify the email address characteristics the policy is based on. This option is only available in the "Emails From" section. The options are: Option Description The Return Address (Mail Envelope From) This default setting applies the policy to the SMTP address match, based on the message's envelope or true address (i.e. the address used during SMTP transmission). The Message From Address (Message Header From) Applies the policy based on the masked address used in the message's header. Both Applies the policy based on either the Mail Envelope From or the Message Header From whichever matches. When both match, the specified value the Message Header From will be used. Applies From / To Specify the sender characteristics the policy is based on. For multiple policies, you should apply them from the most to least specific. The options are: Option Description Everyone Includes all email users (i.e. internal and external). This option is only available in the "Emails From" section. Internal Address Includes only internal organization addresses. External Address Includes only external organization addresses. This option is only available in the "Emails From" section. Email Domain Enables you to specify a domain name to which this policy is applied. The domain name is entered in the Specifically field. Address Groups Enables you to specify a directory or local group. If this option is selected, click on the Lookup button to select a group from the Profile Group field. Once a group has been selected, you can click on the Show Location field to display the group's path. Address Attributes Enables you to specify a predefined Attribute. The attribute is selected from the Where Attribute drop down list. Once the Attribute is specified, an attribute value must be entered in the Is Equal To field. This can only be used if attributes have been configured for user accounts. Individual Email Address Enables you to specify an SMTP address. The email address is entered in the Specifically field.
- Complete the Validity section as required:
Field / Option Description Enable / Disable Use this to enable (default) or disable a policy. If a date range has been specified, the policy will automatically be disabled when the end of the configured date range is reached. Set Policy as Perpetual If the policy's date range has no end date, this field displays "Always On" meaning that the policy never expires. Date Range Use this field to specify a start and / or end date for the policy. If the Eternal option are selected, no date is required. Policy Override This overrides the default order that policies are applied. If there are multiple applicable policies, this policy is applied first unless more specific policies of the same type are configured with an override. Bi-Directional If selected the policy is applied when the policy's recipient is the sender, and the sender is the recipient. Source IP Ranges (n.n.n.n/x) Enter any required Source IP Ranges for the policy. These only apply if the source IP address used to transmit the message data, falls inside or matches the range(s) configured. IP ranges should be entered in CIDR notation.
- Click on the Save and Exit button.