beautypg.com

Mail between message security service customers – Google Message Security for Google Apps Administration Guide User Manual

Page 310

background image

310

Message Security for Google Apps Administration Guide

This diagram shows the flow of TLS messages between servers:

Stage 1: The first connection is from Google Apps to the email protection
service. You can choose whether this connection uses TLS.

Stage 2: The second connection is from the email protection service to the
receiving mail server. If the exact recipient domain is in your list of domains for
Outbound TLS by Recipient Domain, the outbound security service will
connect via TLS to the receiving mail server.

If the Policy Enforced TLS is enabled for a domain, and the recipient cannot
accept TLS messages, the following deferral message for outbound
messages is sent to Google Apps Mail:

451 Recipient does not support STARTTLS - psmtp

The deferral is handled by Google Apps Mail servers, which will continue to
attempt to send the message.

The message security service always uses TLS to send mail to a domain listed in
Policy Enforced TLS. The Policy Enforced TLS settings override standard TLS
settings for the specify domains.

If you have set up Certificate Validation, Policy Enforced TLS will drop the second
connection and send an error if the recipient’s certificate does not meet your
validation requirements. See “Certificate Validation” on page 312 for more
information.

Mail Between Message Security Service Customers

If you send mail to a recipient who also uses the message security service, Policy
Enforced TLS will check that the connection uses TLS on all hops of the journey,
including “distant hops” between the message security service and the recipient.
This behavior is based on your outbound Policy Enforced TLS rules.

Similarly, if you receive mail from a sender who also uses the message security
service, Policy Enforced TLS will check that the connection uses TLS on all hops
of the journey, including “distant hops” because the sender and the message
security service. This behavior is based on your outbound Policy Enforced TLS
rules.

This added protection applies only to domains using the message security
service. It does not apply to distant hops of other mail relay servers.

See also other documents in the category Google Software: