SMTP-Proxy: TLS

Transport Layer Security (TLS) provides additional data security for SMTP. The TLS protocol provides communications security over the Internet and allows client and server applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery. The TLS protocol is based on the SSLv3 protocol but provides improved data security.

For more information about TLS, go to About Transport Layer Security (TLS).

The SMTP Proxy supports both implicit and explicit TLS. In the SMTP proxy action, the TLS settings are for implicit TLS and the STARTTLS Encryption settings are for explicit TLS.

For information about how to configure explicit TLS in the SMTP proxy, go to SMTP-Proxy: STARTTLS Encryption.

Implicit TLS in the SMTP-Proxy is supported in Fireware v12.2 and higher.

To enable TLS support in the SMTP-proxy policy, you must enable content inspection in the proxy action.

About Certificates for TLS Encryption

When content inspection is enabled, the proxy action uses a certificate when it re-encrypts the traffic after inspection.

  • For inbound traffic, the proxy action uses the default Proxy Server certificate.
  • For outbound traffic, the proxy action uses the Proxy Authority certificate.

For more information about these certificates, go to About Certificates.

Change the TLS Support Option in the SMTP-Proxy Policy

To use implicit TLS for content inspection in the SMTP proxy action, TLS Support must also be Enabled or Required in the SMTP-proxy policy so that the SMTP proxy listens on port 465.

In the SMTP proxy policy, you can set TLS Support to one of these options:

  • Disabled — SMTP proxy listens on port 25 only
  • Enabled — SMTP proxy listens on ports 25 and 465 (default)
  • Required — SMTP proxy listens on port 465 only
  1. Edit the SMTP proxy policy.

Screen shot of the SMTP-proxy Settings tab

  1. In the Settings tab, from the TLS Support drop-down list, select Enabled or Required.
    The SMTP and SMTPS ports in the policy are updated based on the option you choose.
  1. Edit the SMTP proxy policy.

Screen shot of the SMTP-proxy Properties tab

  1. On the Policy tab, from the TLS Support drop-down list, select Enabled or Required.Tip!
    The IMAP and IMAPS ports in the policy Properties tab are updated based on the option you choose.

Enable Content Inspection in the SMTP Proxy Action

To enable content inspection in the SMTP proxy, you must select the Inspect action in the TLS settings for the proxy action used by your SMTP-proxy policy. When you select the Inspect action, the proxy uses the settings in the TLS profile for content inspection. You can edit the TLS profile settings in the proxy action, or from the TLS Profiles page.

  1. Edit the SMTP-Proxy action used by your SMTP proxy policy.
  2. Click the TLS tab.
    The Content Inspection settings appear.

Screenshot of the TLS settings for an SMTP proxy action in Fireware Web UI

  1. From the TLS Profile drop-down list, select the TLS profile to use.
    The settings for the selected profile appear in the Content Inspection Summary.
  • Minimum Protocol Version — Shows the minimum protocol version allowed
  • OCSP — Shows whether OCSP is set to Disabled, Lenient, or Strict (for TLS-Client profiles only)
  • PFS Ciphers — Shows whether Perfect Forward Secrecy Ciphers is set to Allowed, Required, or None
  • TLS Compliance — Shows whether the TLS profile enforces compliance with the TLS protocol standards
  1. To enable content inspection, from the Action drop-down list, select Inspect.
  2. To edit the TLS profile in Fireware Web UI, click Edit. To edit the TLS profile in Policy Manager, click . Predefined TLS profiles are not editable. To change the predefined TLS settings, click Clone to make an editable copy of the TLS profile.
  3. Configure the TLS Profile settings as required for your network. For more information, go to Configure TLS Profiles.
  1. Edit the SMTPproxy action used by your SMTP-proxy policy.
  2. In the Categories list, select TLS.
    The Content Inspection settings appear.

Screen shot of the TLS settings in an SMTP proxy action in Policy Manager

  1. From the TLS Profile drop-down list, select the TLS profile to use.
    The settings for the selected profile appear in the Content Inspection Summary.
  • Minimum Protocol Version — Shows the minimum protocol version allowed
  • OCSP — Shows whether OCSP is set to Disabled, Lenient, or Strict (for TLS-Client profiles only)
  • PFS Ciphers — Shows whether Perfect Forward Secrecy Ciphers is set to Allowed, Required, or None
  • TLS Compliance — Shows whether the TLS profile enforces compliance with the TLS protocol standards
  1. To enable content inspection, from the Action drop-down list, select Inspect.
  2. To edit the TLS profile in Fireware Web UI, click Edit. To edit the TLS profile in Policy Manager, click . Predefined TLS profiles are not editable. To change the predefined TLS settings, click Clone to make an editable copy of the TLS profile.
  3. Configure the TLS Profile settings as required for your network. For more information, go to Configure TLS Profiles.

See Policy TLS Settings

For a proxy policy to perform content inspection, the TLS Support option in the proxy policy must be set to Enabled or Required. If you edit the TLS settings in a proxy action from the Proxy Actions list, the proxy action could apply to more than one policy. After you enable content inspection, make sure that TLS Support is set to Enabled or Required in all policies that use the proxy action.

To see the TLS Support setting for all policies that use the proxy action:

  1. Edit the proxy action from the Proxy Actions list.
  2. In the proxy action TLS settings, click View.
    A list of policies that use the proxy action appears, with the TLS Support setting for each policy.

 

Related Topics

Configure TLS Profiles

About the SMTP-Proxy

About Proxy Actions