beautypg.com

Outbound policy enforced tls mail flow, Set up policy enforced tls – Google Message Encryption Administration Guide User Manual

Page 15

background image

16

Postini Encryption Services Administration Guide

Outbound Policy Enforced TLS Mail Flow

If you have Policy Enforced TLS enabled for outbound mail, you can specify a list
of sending domains. Mail to these domains will always be encrypted. For
outbound mail traffic, the email protection service acts as a proxy between the
your mail server and the receiving server.

This diagram shows the flow of TLS messages between servers:

Stage 1: The first connection is from your mail server to the email protection
service. You can choose whether this connection uses TLS.

Stage 2: The second connection is from the email protection service to the
receiving mail server. If the exact recipient domain is in your list of domains for
Outbound TLS by Recipient Domain, the outbound security service will
connect via TLS to the receiving mail server.

If the recipient domain is set up for Policy Enforced TLS and TLS is not
available, the following deferral message for outbound messages is sent:

451 Recipient does not support STARTTLS - psmtp

The deferral is handled by your server. Most sending servers will continue to
attempt to send the message for up to five days.

Outbound mail sent to a domain that exactly matches one on the outbound sender
list will always be sent via TLS in the second step. The Policy Enforced TLS
settings override standard TLS setting for that email config organization for these
domains.

If you have set up Certificate Validation, Policy Enforced TLS will drop the second
connection and send an error if the recipient’s certificate does not meet your
validation requirements. See “Certificate Validation” on page 18 for more
information.

Set Up Policy Enforced TLS

Set up Inbound TLS by Sender Domain

1.

In the Administration Console, click the Inbound Servers tab. Select your
email config organization, and click the TLS link.

2.

If TLS is set to “Send only SMTP”, change it to allow TLS. The recommended
setting is “SMTP or TLS.” See Transport Layer Security for Inbound Mail in
the Email Security Service Administration Guide for more information on TLS
settings.

See also other documents in the category Google Software: