Skip to content

Using TLS connections

You can use Transport Layer Security (TLS) connections for email.

If you have issues with TLS connections, check that TLS is enabled, with the correct version and correct ciphers. If you still have problems, contact Sophos Email Support.

For help with email encryption see Secure message methods.


Make sure TLS 1.3 is enabled on your email gateway before enforcing it on any domains. Otherwise the connection with Sophos breaks and you cannot send or receive email. The ciphers required are 'TLSv1.2+FIPS:kRSA+FIPS:!eNULL:!aNULL'.

TLS failures

If Sophos Email can't make a TLS connection, email isn't sent. Email is queued for redelivery for 7 days. After this it is deleted.

Logging of TLS connection errors

Each time Sophos Email can't send email due to TLS failures it makes an entry in the history log.

After the final failure, an entry saying that the email was deleted because of TLS policy is added to the log. The entries have this format: "Processing: Check TLS".

Sophos TLS certificate details

These are the details of the certificate we use with TLS connections.

Parameter Value
Common Name *
SANs DNS:*, DNS:*,
Location C=GB, ST=Oxfordshire, L=Abingdon,
Serial Number 42:05:5f:21:c1:9b:e9:f0:e8:8a:bb:0c
Signature Algorithm sha256WithRSAEncryption
Issuer C=BE, O=GlobalSign nv-sa, CN=GlobalSign RSA OV SSL CA 2018