Authentication restrictions, Other forms of email encryption, Setting up inbound tls – Google Message Security for Google Apps Administration Guide User Manual
Page 301
Transport Layer Security
301
For TLS connections between the message security service and Google Apps
Mail, you may use either self-signed or authority-signed certificates. The type
of certificate doesn’t affect delivery—the message security service uses your
certificate to negotiate the encryption between the two servers, and does not
perform any disposition based on the information in the certificate.
TLS-encrypted messages or messages sent from an authority-signed certificate
only imply that the senders are who they say they are. Messages sent via TLS are
not necessarily less likely to contain viruses or be junk mail.
Authentication Restrictions
The majority of current TLS implementations provide encrypted transactions, but
do not enforce validation of authentication. Some third-party mail servers can be
configured to process messages based on certificate type (authority-signed vs.
self-signed), status (for example, expired or revoked), or other certificate
information.
If the sending domain restricts TLS traffic based on the receiving server’s
certificate (for example, deferring mail traffic if the domain in the certificate does
not match the recipient’s domain), inform the sender that your mail traffic presents
a security certificate from the message security service. The sender can then
configure their TLS authentication rules to allow messages through.
Other Forms of Email Encryption
In addition to TLS, earlier forms of SSL-based email security are also supported.
When TLS is enabled, the message security service attempts to connect with TLS
first, but if this is not available, earlier versions of SSL email security are used,
including SSL2 and SSL3.
Setting Up Inbound TLS
Follow these steps to set up inbound TLS on each mail server you want to
configure.
By default, TLS inbound support is turned off.
1.
In the Administration Console, click Inbound Servers > TLS.