Configuring Secure Receipt Policies

Document created by user.oxriBaJeN4 Employee on Sep 12, 2015Last modified by user.oxriBaJeN4 Employee on Apr 2, 2019
Version 11Show Document
  • View in full screen mode

Secure Receipt policies allow inbound and outbound messages to be received and sent securely using Transport Layer Security (TLS) technology. TLS is designed to reduce the risk of eavesdropping, interception, and alteration of mail sent across the internet.


Usage Considerations


Consider the following before configuring a policy:

  • When configuring route based TLS, the following policies are required to ensure the entire transmission is encrypted:
    • Secure Receipt policy: This encrypts data between the sending mail server and us (i.e. how we receive a message).
    • Secure Delivery policy: This encrypts data between Mimecast and the destination mail server (i.e. how we deliver a message).
  • TLS technology protects confidentiality and data integrity by encrypting connections between servers, so that messages are transmitted through a secure tunnel. It uses SMTP over an SSL encrypted tunnel, and requires an installed third party certificate at each end of the tunnel. See the "Self Signed Certificates" section below for further information.
  • We support connections using TLS 1.2, 1,1 and 1.0 for AES-256, MD5, and AnonDHE.

Self Signed Certificates

To configure and use TLS, each mail server involved in the sending and receipt of a message must have an SSL certificate from a public root certificate authority installed and configured. By default, TLS connections take place over port 25.


For Secure Receipt policies, we act as the server. The client application connects to us and checks the server certificate to see if it is acceptable. Typically it would be, and the connection is established. If a self signed certificate is used by the client, it wouldn't succeed in the connection attempt.


A configuration option can be enabled by Mimecast Support that allows the connection to be established. In this scenario we act as the client, and the customer application acts as the server. We will then verify the certificate.


Configuring a Secure Receipt Policy

To configure a Secure Receipt policy:

  1. Log on to the Administration Console.
  2. Click on the Administration menu item. A menu drop down is displayed.
  3. Click on the Gateway | Policies menu item. The Gateway Policy Editor is displayed.
  4. Click on Secure Receipt. A list of policies is displayed.
  5. Either select the:
    • Policy to be changed.
    • New Policy button to create a policy.
  6. Complete the Options section as required:
    Policy NarrativeProvide a description for the policy to allow you to easily identify it in the future.
    Select Option

    Select one of the following values from the drop down list:

    Receipt OptionDescription
    DefaultUses Opportunistic TLS as described below.
    Opportunistic TLSTLS is always attempted first when sending a message, but if not accepted by the remote mail server, the message is received using standard SMTP.
  7. Complete the Emails From and Emails To sections as required:
    Field / OptionDescription
    Addresses Based OnSpecify the email address characteristics the policy is based on. This option is only available in the "Emails From" section:
    The Return Address This default setting applies the policy to the SMTP address match, based on the message's envelope or true address (i.e. the address used during SMTP transmission).
    Applies From / ToSpecify the Sender characteristics the policy is based on. For multiple policies, you should apply them from the most to least specific. The options are:
    EveryoneIncludes all email users (i.e. internal and external). This option is only available in the "Emails From" section.
    Internal AddressIncludes only internal organization addresses.
    External AddressIncludes only external organization addresses. This option is only available in the "Emails From" section.
    Email DomainEnables you to specify a domain name to which this policy is applied. The domain name is entered in the Specifically field.
    Address GroupsEnables you to specify a directory or local group. If this option is selected, click on the Lookup button to select a group from the Profile Group field. Once a group has been selected, you can click on the Show Location field to display the group's path.
    Address AttributesEnables you to specify a predefined Attribute. The attribute is selected from the Where Attribute drop down list. Once the Attribute is specified, an attribute value must be entered in the Is Equal To field. This can only be used if attributes have been configured for user accounts.
    Individual Email AddressEnables you to specify an SMTP address. The email address is entered in the Specifically field.
  8. Complete the Validity section as required:
    Field / OptionDescription
    Enable / DisableUse this to enable (default) or disable a policy. If a date range has been specified, the policy will automatically be disabled when the end of the configured date range is reached.
    Set Policy as PerpetualIf the policy's date range has no end date, this field displays "Always On" meaning that the policy never expires.
    Date RangeUse this field to specify a start and / or end date for the policy. If the Eternal option are selected, no date is required.
    Policy OverrideThis overrides the default order that policies are applied. If there are multiple applicable policies, this policy is applied first unless more specific policies of the same type are configured with an override.
    Bi-DirectionalIf selected the policy is applied when the policy's recipient is the sender, and the sender is the recipient.
    Source IP Ranges (n.n.n.n/x)Enter any required Source IP Ranges for the policy. These only apply if the source IP address used to transmit the message data, falls inside or matches the range(s) configured. IP ranges should be entered in CIDR notation.
  9. Click on the Save and Exit button.

To verify if TLS is being applied as expected once your policy is configured, send a test email and check the receipt / delivery view of the message.

See Also...


2 people found this helpful