Encryption: TLS

Use the TLS tab on the Configuration > Policy > Encryption page to activate and configure the Email Appliance's email encryption. You can also manage specific encryption policies for domains that the Email Appliance communicates with. The Email Appliance uses Transport Layer Security (TLS), allowing it to send and receive encrypted email with other servers that support TLS.
Note
Email encryption is set to Off by default.

Advanced email encryption policies

When email encryption is turned off (the default), the Email Appliance will not attempt to send encrypted email. When email encryption is turned on, the Email Appliance will attempt to encrypt email. However, if the receiving server does not support TLS encryption, the Email Appliance will instead send unencrypted email.

You can select the Support Legacy SSL Connections checkbox to enable CBC and RC4 ciphers, and also to enable the SSLv3 protocol instead of TLSv3 to support legacy servers like Microft Exchange 2003. As these protocols are not secure, this is not recommended unless necessary.

It is possible to configure the Email Appliance email encryption level on a per-domain basis in the Advanced outbound encryption policy section.

Three levels of encryption are available:

  • Prevent Encryption: The Email Appliance will not encrypt outbound email, even if the receiving server is TLS-capable.
  • Require Encryption: The Email Appliance will not send email unless the receiving server is TLS-capable. The Email Appliance will not require the receiving server to have a valid certificate.
  • Require Encryption and Validate Certificate: The Email Appliance will not send email unless the receiving server is TLS-capable, and has a valid certificate.
Note
It is never possible to require other organizations' servers to encrypt email; it is only possible to require the Email Appliance to encrypt outbound email.