Connect Application: Setting Up TLS Policies

Document created by user.Yo2IBgvWqr Employee on Sep 20, 2017Last modified by user.oxriBaJeN4 on Dec 18, 2018
Version 27Show Document
  • View in full screen mode

By default, we deliver messages using opportunistic Transport Layer Security (TLS). This guide describes how users of the Connect Application can optionally enforce TLS communication between your internal mail server and us, as well as between us and specified external domains as shown in the image below: 

Transport Layer Security

This ensures full end-to-end TLS communication between your internal server infrastructure and the external domains. Your internal server infrastructure covers all internal domains, including legitimate "spoofed" inbound messages from authorized third parties.

We recommend adding external domains to ensure full end-to-end TLS communication. Ensure that any external domains you enter support Strict TLS. We support connections using TLS 1.2, 1.1, and 1.0 for AES-256, MD5, and AnonDHE.

Adding Transport Layer Security Policies

If you can't start this step, ensure the Connect Application: Preparing for Inbound Email is completed. This is a dependent task.

To add a Transport Layer Security policy:

  1. Click on the Optional | Set Up Your TLS Policies menu item.
  2. Click on the Start button. A page is displayed listing any current internal server routes.
  3. Click the Validate button to perform a check to ensure your inbound routes can support enforced TLS. A popup dialog is displayed.
  4. Enter an Email Address.
  5. Click on the Test button. If any route doesn't support TLS, you can't proceed to the next step in the task.
    • A green tick confirms the route is validated in "Strict - Trusted Enforced" or "Relaxed Encryption Mode".
    • A red exclamation confirms the route is invalid with "TLS Not Supported".
    Internal Server Routes
    If all the routes are capable of enforced TLS, the server can have either a 3rd party supported or self signed certificate. If a 3rd party certificate is used, strict encryption mode is enforced. If a self-signed certificate is used, relaxed mode is enforced.
  6. Click on the Next button. All external domains are listed. 
  7. Click on the Add External Domains button. A popup box is displayed. 
  8. Enter all your External Domains, with each on a separate line.
    Up to 50 addresses can be added at any one time. If you have more than 50, just repeat the process in batches of 50 or less.
  9. Click on the Continue button. The external domains are listed. If there are any errors, correct them by clicking the Remove button.
  10. Click the Add button to confirm. 
  11. Optionally click on the Validate button to the right of each domain to verify the TLS support. A pop up dialog is displayed.
  12. Enter a known email address for the external domain in the Email field, and click Validate. This is for validation only, and no email will be sent. 
    • If TLS is validated, a green tick confirms the route "Supports TLS".
    • If TLS validation failed, an error message will display on the pop up dialog as shown below. Click on the More or Less links to expand or collapse the error message. Click on the Cancel button to exit the dialog.
  13. Remove TLS PolicyClick on the Remove link to remove a domain that is invalid or already exists. 
  14. When you're ready, click on the Finish button to complete configuration. The summary page displays the number of added domains under External Domain TLS Policies.
  15. Optionally click on the Edit button to go back to the previous page, and click on Validate or Remove to correct the domains.


Removing External Domains from Transport Layer Security Policies


Remove External DomainTo remove an external domain from a transport layer security policy:

  1. Click on the Optional | Set Up Your TLS Policies menu item.
  2. Click on the Start button. Any existing external domains in the transport layer security policy display.
  3. Click on the Remove link to the right of the external domain.
  4. Click on the Finish button.
If you need to completely remove a Transport Layer Security policy, you can do so from the Administration Console via the Administration | Gateway | Policies menu item The TLS policies are available under Secure Delivery and Secure Receipt. Right click on the policy, and click Remove Policy.

Remove TLS Policy