Enforced TLS connections

You can force specific external domains to use Transport Layer Security (TLS) connections for email.

Restriction This option is only available with an Email Advanced license.

To manage domain names with TLS connections, go to Settings > Enforced TLS Connections.

You can:

  • Add domain names (wildcards are supported).
  • Search the list of domains that already have TLS connection enforced.
  • Change the settings for a domain.
  • Delete domain names from the list.

If you have issues with TLS connections, check that TLS is enabled, with the correct version and correct ciphers (see below). If you still have problems, contact Sophos Email Support.

Adding a new domain name

When you add a new domain name to the list, servers connect to and from that domain with TLS. The email gateway connects with servers using TLS 1.2 or later, and with ciphers consistent with our email encryption product. The connection is valid if a STARTTLS ping returns successfully.

Note Make sure TLS 1.2 is enabled on your email gateway before enforcing it on any domains. Otherwise the connection with Sophos breaks and you cannot send or receive email. The ciphers required are 'TLSv1.2+FIPS:kRSA+FIPS:!eNULL:!aNULL'.

TLS failures

If Sophos Email can't make a TLS connection, email isn't sent. Email is queued for redelivery for 7 days. After this it is deleted.

Logging of TLS connection errors

Each time Sophos Email can't send email due to TLS failures it makes an entry in the history log.

After the final failure, an entry saying that the email was deleted because of TLS policy is added to the log. The entries have this format: "Processing: Check TLS".