Encryption: TLS

Use the TLS tab on the Configuration > Policy > Encryption page to activate and configure the Email Appliance’s email encryption. You can also manage specific encryption policies for domains that the Email Appliance communicates with. The Email Appliance uses Transport Layer Security (TLS), allowing it to send and receive encrypted email with other servers that support TLS.

Note Email encryption is set to Off by default.

Advanced email encryption policies

When email encryption is turned off (the default), the Email Appliance will not attempt to send encrypted email. When email encryption is turned on, the Email Appliance will attempt to encrypt email. However, if the receiving server does not support TLS encryption, the Email Appliance will instead send unencrypted email.

Select Support Legacy SSL Connections to enable SSLv3 and TLSv1.0 protocols to support legacy servers like Microsoft Exchange 2003. Select Enable RC4/CBC to enable RC4/CBC ciphers.

Note As these protocols and ciphers are not secure, this is not recommended unless necessary.

It is possible to configure the Email Appliance email encryption level on a per-domain basis in the Advanced outbound encryption policy section.

Three levels of encryption are available:

  • Prevent Encryption: The Email Appliance will not encrypt outbound email, even if the receiving server is TLS-capable.
  • Require Encryption: The Email Appliance will not send email unless the receiving server is TLS-capable. The Email Appliance will not require the receiving server to have a valid certificate.
  • Require Encryption and Validate Certificate: The Email Appliance will not send email unless the receiving server is TLS-capable, and has a valid certificate.
Note It is never possible to require other organizations’ servers to encrypt email; it is only possible to require the Email Appliance to encrypt outbound email.