These steps walk you through configuring TLS encryption on email communication with specific partner domains or configuring TLS for all Outbound and Inbound email.
TLS for Incoming Mail
Receiving mail is controlled by the HAT Overview/Mail Flow Policies. In other words, when hosts attempting to send mail to your organization connect to your Ironport appliance.
setup TLS encryption for all inbound email
To enable TLS for all incoming mail flow policies that take their settings from the Default Policy: Mail Policies > Mail Flow Policies. Select “Default Policy Parameters” . You will want to review the TLS setting of each policy to check if they are taking their settings from the Default Policy.
TLS for outbound Mail
IronPort Destination Controls effect how your Ironport appliance delivers mail to hosts on the Internet (Mail Policies > Destination Controls). Create entries for the domains that need secure TLS communications. If you’re a financial or medical institution and it’s vital that all transactions between you and the Internet be made securely, then you may need to enable it on the Default domain, which will enable TLS for all outbound email.
Prerequisite: The first step is to assign your certificate to Destination Controls
Setup outbound TLS for specific partner domains
In this procedure we will require TLS on communication with selected partner domains.
1) Click the “Add Destination” button:
2) Input the partners domain name in the Destination field
3) Select your TLS requirements in the ‘TLS Support’ drop down. In the example IronPort TLS configuration, I selected “Required – Verify” under ‘TLS Support’ because all communications with this partner are required to be secured with TLS. If TLS cannot be established the mail will not be delivered. In addition, if the partners SSL certificate cannot be verified the mail will not be sent.
4) In order to test, send some emails to the TLS partner domain that you setup in step 3 (partnercompany.com), and then review the Monitor menu page to verify IronPort TLS is working.
Attempt TLS for all outbound communications
In this example, we set it so that all outbound email connections will at least attempt TLS, if TLS is not achieved the mail will be sent as clear text.
1) Enable TLS on the Default Domain destination control: Mail Policies > Destination Controls > Default Destination Controls
I chose preferred since this is the global default I don’t want it overly strict. It will attempt TLS and will not attempt to verify the other parties certificate validity.
The Performance Impact of TLS Encryption
A single TLS connection requires the same amount of server resources as approximately ten clear text conversations. To mitigate the performance impact, there is a limit to the number of simultaneous TLS connections. Currently the limit is 100 inbound and 100 outbound TLS connections.
If the connection limit is reached for outbound connections, AsyncOS will negotiate a clear text conversation with partners whose MTA (message transfer agent) allows it. Where the partner has TLS required, the IronPort appliance will simply wait and try the connection again later.