POP3-Proxy: TLS

Transport Layer Security (TLS) provides additional data security for POP3. The TLS protocol provides communications security over the Internet and allows client and server applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery. The TLS protocol is based on the SSLv3 protocol but provides improved data security.

For more information about TLS, go to About Transport Layer Security (TLS)

TLS for the POP3-proxy is supported in Fireware v12.2 and higher.

To enable TLS support in the POP3-proxy policy, you must enable content inspection in the proxy action.

About Certificates for TLS Encryption

When content inspection is enabled, the proxy action uses a certificate when it re-encrypts the traffic after inspection.

  • For inbound traffic, the proxy action uses the default Proxy Server certificate.
  • For outbound traffic, the proxy action uses the Proxy Authority certificate.

For more information about these certificates, go to About Certificates.

Change the TLS Support Option in the POP3-Proxy Policy

To enable content inspection in the POP3 proxy action, TLS Support must also be Enabled or Required in the POP3-proxy policy.

You can set TLS Support to one of these options:

  • Disabled — POP3-proxy listens on port 110 only
  • Enabled — POP3-proxy listens on ports 110 and 995 (default)
  • Required — POP3-proxy listens on port 995 only
  1. Edit the POP3-proxy policy.

Screen shot of the POP3-proxy Settings tab

  1. In the Settings tab, from the TLS Support drop-down list, select Enabled or Required.
    The POP3 and POP3S ports in the policy are updated based on the option you choose.
  1. Edit the POP3-Proxy policy.

Screen shot of the POP3-proxy Properties tab

  1. On the Policy tab, from the TLS Support drop-down list, select Enabled or Required.
    The POP3 and POP3S ports in the policy Properties tab are updated based on the option you choose.

Enable Content Inspection in the POP3 Proxy Action

To enable content inspection in the POP3 proxy, you must select the Inspect action in the TLS settings for the proxy action used by your POP3-proxy policy. When you select the Inspect action, the proxy uses the settings in the TLS profile for content inspection. You can edit the TLS profile settings in the proxy action, or from the TLS Profiles page.

  1. Edit the POP3 proxy action used by your POP3-proxy policy.
  2. Click the TLS tab.
    The Content Inspection settings appear.

Screenshot of the TLS settings for an POP3 proxy action in Fireware Web UI

  1. From the TLS Profile drop-down list, select the TLS profile to use.
    The settings for the selected profile appear in the Content Inspection Summary.
  • Minimum Protocol Version — Shows the minimum protocol version allowed
  • OCSP — Shows whether OCSP is set to Disabled, Lenient, or Strict (for TLS-Client profiles only)
  • PFS Ciphers — Shows whether Perfect Forward Secrecy Ciphers is set to Allowed, Required, or None
  • TLS Compliance — Shows whether the TLS profile enforces compliance with the TLS protocol standards
  1. To enable content inspection, from the Action drop-down list, select Inspect.
  2. To edit the TLS profile in Fireware Web UI, click Edit. To edit the TLS profile in Policy Manager, click . Predefined TLS profiles are not editable. To change the predefined TLS settings, click Clone to make an editable copy of the TLS profile.
  3. Configure the TLS Profile settings as required for your network. For more information, go to Configure TLS Profiles.
  1. Edit the POP3 proxy action used by your POP3-Proxy policy.
  2. In the Categories list, select TLS.
    The Content Inspection settings appear.

Screen shot of the TLS settings in an POP3 proxy action in Policy Manager

  1. From the TLS Profile drop-down list, select the TLS profile to use.
    The settings for the selected profile appear in the Content Inspection Summary.
  • Minimum Protocol Version — Shows the minimum protocol version allowed
  • OCSP — Shows whether OCSP is set to Disabled, Lenient, or Strict (for TLS-Client profiles only)
  • PFS Ciphers — Shows whether Perfect Forward Secrecy Ciphers is set to Allowed, Required, or None
  • TLS Compliance — Shows whether the TLS profile enforces compliance with the TLS protocol standards
  1. To enable content inspection, from the Action drop-down list, select Inspect.
  2. To edit the TLS profile in Fireware Web UI, click Edit. To edit the TLS profile in Policy Manager, click . Predefined TLS profiles are not editable. To change the predefined TLS settings, click Clone to make an editable copy of the TLS profile.
  3. Configure the TLS Profile settings as required for your network. For more information, go to Configure TLS Profiles.

See Policy TLS Settings

For a proxy policy to perform content inspection, the TLS Support option in the proxy policy must be set to Enabled or Required. If you edit the TLS settings in a proxy action from the Proxy Actions list, the proxy action could apply to more than one policy. After you enable content inspection, make sure that TLS Support is set to Enabled or Required in all policies that use the proxy action.

To see the TLS Support setting for all policies that use the proxy action:

  1. Edit the proxy action from the Proxy Actions list.
  2. In the proxy action TLS settings, click View.
    A list of policies that use the proxy action appears, with the TLS Support setting for each policy.

 

Related Topics

About the POP3-Proxy

About Proxy Actions