beautypg.com

Change the default certificate validation setting – Google Message Encryption Administration Guide User Manual

Page 20

background image

Policy Enforced TLS

21

Change the Default Certificate Validation Setting

You can change the default setting as well. When you add a new domain to Policy
Enforced TLS, it will use this Certificate Validation setting.

To change the default Certificate Validation setting

Go to Outbound TLS settings in the Administration Console.

1.

Under TLS Certificate Validation, select the default setting you wish to use.

Check Trust

Behavior: In addition to the certificate tests in
Verify Cert, also verifies that the certificate is from a
known valid Certificate Authority. Does not allow a
self-signed certificate or certificate from an
unknown trust. Requires a complete certificate
chain. Will also block any certificate linked to an IP
address instead of a hostname. Ends the mail
session if the trust check fails.

Recommendations: This is a very stringent setting
and can cause problems with outbound mail flow to
the recipient if the recipient’s certificate is not
properly prepared. Contact your recipient before
you use this setting, and send at least a few trial
messages to test that mail flow is not interrupted.
This setting provides secure delivery and protection
against spoofing, but may interrupt delivery if the
certificate is not signed properly.

Check Domain

Behavior: In addition to the certificate tests in
Verify Cert and Check Trust, also confirms that the
domain in the certificate matches the domain of the
server host. If there is a wildcard in the domain
certificate, the recipient’s domain must match the
wildcard. Will also block any certificate linked to an
IP address instead of a hostname. Ends the
session if the domain check fails.

Recommendations: This is the most stringent
setting and will cause outbound mail to fail if the
domain in the certificate does not match the domain
of the recipient’s mail server. Contact your recipient
before you use this setting, and send at least a few
trial messages to test that mail flow is not
interrupted. Be aware that mislabeled domains in
TLS certificates are not uncommon; if your recipient
is using a different domain name in certificates, mail
flow will be interrupted. This setting provides the
most secure delivery and protection against
spoofing, but has a high risk of mail flow
interruption.

TLS Certification

Description

See also other documents in the category Google Software: