Mimecast Secure Delivery uses Transport Layer Security (TLS) technology. This protects confidentiality and data integrity by encrypting connections between servers, thereby ensuring emails are transmitted through an SSL encrypted tunnel. This reduces the risk of eavesdropping, interception, and alteration of emails as they are sent across the internet.
This feature requires a valid, third-party certificate to be installed at each end of the tunnel.
The Secure Delivery policy is applied when emails are delivered from Mimecast to the receiving mail server. This can be either:
- Inbound from Mimecast to your organization.
- Outbound from Mimecast to external recipients.
You can choose to enforce TLS when delivering emails.
In order to configure and use the Transport Layer Security technology enabled by Mimecast Secure Delivery, you must have an SSL certificate from a Mimecast trusted public root certificate authority installed and configured on the sending and receiving mail servers. Mimecast supports connections using TLS 1.0, 1.1 and 1.2 for AES-256, RC4, MD5 and AnonDHE.
To create or change a definition you must:
- Be logged on to the Mimecast Administration Console.
- Have access to the relevant Gateway menu item for the definition being created or changed.
Creating a Secure Delivery Definition
To create a secure delivery definition:
- Open the Gateway Policy Editor.
- Select the Definitions drop down. A list of the definition types is displayed.
- Select the Secure Delivery definition type from the list. The list of definitions is displayed.
Either select the:
- Policy to be changed.
- Select the Add Secure Delivery Definition button to add a new definition.If you had Secure Delivery Policies configured before the 3.0.31 release of the Administration Console (mid July 2015) you will see definitions for each of your existing policies. These were migrated for you automatically by Mimecast.
- Complete the Secure Delivery Definition as follows:
Field Description Description This will be used to identify the definition when you come to apply it in a policy. Secure Delivery Mode Select one of the following delivery modes:
- Default: Uses Opportunistic TLS as described below.
- Opportunistic TLS: TLS is attempted first when sending an email. If it is not accepted by the remote mail server, it is delivered using standard SMTP.
- Enforced TLS: Email is only delivered if the remote mail server accepts TLS. If TLS is not configured, the connection drops and the email delivery is queued and retried.Ensure the recipient mail server(s) are configured to accept TLS messages if using this option. If they aren't, all emails delivered using this policy will fail. Mimecast recommends testing this communication before enforcing it across your entire organization.
- Enforced TLS - Fall back to Closed Circuit Messaging: TLS is attempted when sending an email. If it is not accepted by the remote mail server, it is delivered using Closed Circuit Messaging (CCM).
- No TLS: Normal SMTP delivery (not encrypted).
Select one of the following encryption modes:
Mimecast strongly recommends using Strict - Trust Enforced mode for Secure Delivery policies. Relaxed mode should be considered only as a temporary solution. For example, when there is no opportunity to use a certificate with a publicly accessible trust chain.
- Strict - Trust Enforced: Used for public root certificates.
- Relaxed: Permits encryption with self-signed certificates and other valid certificates, which may not have a complete trust chain.
Allows you to select differently ordered SSL ciphers. This caters for remote systems that do not negotiate the most secure cipher, but use the first common cipher found. Select one of the following modes:
- Default: Negotiates 128 bit ciphers, followed by 256 bit ciphers and then followed by others (set by default).
- Weak: Same as Medium, with support for more lower bit ciphers.
- Medium: Same as Default, but includes additional lower bit ciphers.
- Strong: A mix of all supported 128 bit ciphers and higher, ordered from strongest to weakest.Mimecast recommends using this option. If this causes TLS handshake issues, review the SSL Mode options and select the next most suitable secure mode.
- Very Strong: A mix of supported (generally considered very strong) 128 bit ciphers and higher only, ordered from strongest to weakest.
- PFS Only: Supported Perfect Forward Secrecy (PFS) ciphers only, ordered from strongest to weakest.
- Select the Save and Exit button.