About Transport Layer Security (TLS)
Transport Layer Security (TLS) is a protocol that provides encryption and security for data sent between a client and a server.
Explicit and Implicit TLS
TLS can be explicit or implicit. The difference is in when the server uses TLS encryption.
Explicit TLS
With explicit TLS, the client sends a command (such as STARTTLS) over an existing insecure connection to request that the connection be upgraded to a secure one. When the server receives the command and can support TLS in this way, it sends a confirmation to let the client know it can begin the TLS negotiation.
Fireware supports explicit TLS for SMTP in the SMTP-Proxy, and for IMAP in the IMAP-Proxy.
Implicit TLS
With implicit TLS, both the client and the server immediately use TLS based on the port used to connect. Fireware supports implicit TLS for these protocols and default ports:
- HTTPS on port 443
- IMAPS on port 993 (Supported in Fireware v12.1 or higher)
- SMTPS on port 465 (Supported in Fireware v12.2 or higher)
- POP3S on port 995 (Supported in Fireware v12.2 or higher)
The HTTPS and POP3 proxies support only implicit TLS. The IMAP and SMTP proxies support both implicit and explicit TLS.
TLS Profiles and Proxy Policies
The IMAP, SMTP, and POP3 proxies support both encrypted and unencrypted connections. For these policies, the TLS Support option in the policy properties controls which ports the proxy policy listens on.
TLS Support | IMAP Proxy Ports | SMTP Proxy Ports | POP3 Proxy Ports |
---|---|---|---|
Disabled | Port 143 only | Port 25 only | Port 110 only |
Enabled | Port 143 and 993 | Port 25 and 465 | Port 110 and 995 |
Required | Port 993 only | Port 465 only | Port 995 only |
To configure TLS settings for content inspection in an IMAP, SMTP, or POP3 proxy action, the TLS Support setting must be set to Enabled or Required in the proxy policy. In policy templates for the IMAP, SMTP, and POP3 proxy policies, the TLS Support setting is set to Enabled by default.
If you create an IMAP, SMTP, or POP3 proxy policy with a version of Fireware that does not support TLS Profiles, and then upgrade the Firebox to a Fireware version that supports TLS Profiles, the TLS Support option in the existing proxy policy is set to Disabled after the upgrade. Before you can enable content inspection, you must change the TLS Support option in the proxy policy to Enabled or Required.
For information about how to select the TLS profile and configure content inspection in proxy actions, go to:
- HTTPS-Proxy: Content Inspection
- SMTP-Proxy: STARTTLS Encryption
- SMTP-Proxy: TLS
- IMAP-Proxy: STARTTLS
- IMAP-Proxy: TLS
- POP3-Proxy: TLS
For information about TLS profile configuration settings, go to Configure TLS Profiles.