By default, we deliver messages using opportunistic Transport Layer Security (TLS). This guide describes how users of the Connect Application can optionally enforce TLS communication between your internal mail server and us, as well as between us and specified external domains as shown in the image below:
This ensures full end-to-end TLS communication between your internal server infrastructure and the external domains. Your internal server infrastructure covers all internal domains, including legitimate "spoofed" inbound messages from authorized third parties.
Adding Transport Layer Security Policies
To add a Transport Layer Security policy:
- Click on the Optional | Set Up Your TLS Policies menu item.
- Click on the Start button. A page is displayed listing any current internal server routes.
- Click the Validate button to perform a check to ensure your inbound routes can support enforced TLS. A popup dialog is displayed.
- Enter an Email Address.
- Click on the Test button. If any route doesn't support TLS, you can't proceed to the next step in the task.
If all the routes are capable of enforced TLS, the server can have either a 3rd party supported or self signed certificate. If a 3rd party certificate is used, strict encryption mode is enforced. If a self-signed certificate is used, relaxed mode is enforced.
- A green tick confirms the route is validated in "Strict - Trusted Enforced" or "Relaxed Encryption Mode".
- A red exclamation confirms the route is invalid with "TLS Not Supported".
- Click on the button. All external domains are listed.
- Click on the Add External Domains button. A popup box is displayed.
- Enter all your External Domains, with each on a separate line.Up to 50 addresses can be added at any one time. If you have more than 50, just repeat the process in batches of 50 or less.
- Click on the Continue button. The external domains are listed. If there are any errors, correct them by clicking the Remove button.
- Click the Add button to confirm.
- Optionally click on the Validate button to the right of each domain to verify the TLS support. A pop up dialog is displayed.
- Enter a known email address for the external domain in the Email field, and click Validate. This is for validation only, and no email will be sent.
- Click on the Remove link to remove a domain that is invalid or already exists.
- When you're ready, click on the Finish button to complete configuration. The summary page displays the number of added domains under External Domain TLS Policies.
- Optionally click on the Edit button to go back to the previous page, and click on Validate or Remove to correct the domains.