beautypg.com

Google Message Security for Google Apps Administration Guide User Manual

Page 314

background image

314

Message Security for Google Apps Administration Guide

Certificate Validation settings are described below.

TLS Certification

Description

Encrypt Only

Behavior: Policy Enforced TLS obtains the keys
from the Server Certificate, extracts the keys,
completes the TLS handshake, and begins the
encrypted session. No further verification takes
place. Errors that prevent key extract will result in a
bounced connection, but any other certificate-
related errors are ignored.

Recommendations: This setting provides the most
reliable delivery of encrypted mail, and is
recommended in most cases. Use if you wish to
allow a TLS connection even with malformed or out-
of-date certificates. This setting allows encrypted
communication even if the recipient’s certificate is
invalid, as long as the certificate is functional.

Verify Cert

Behavior: Confirm that the certificate has proper
form and syntax. Ensures that certificates are valid,
but provides no protection against spoofing. Policy
Enforced TLS ends the session if any certificate
errors occur, but allows an out of date certificate,
self-signed certificate, or certificate from an
unknown trust.

Recommendations: This setting can be used to
detect any problems with the TLS certificate. If you
wish to block malformed certificates, and detect any
certificate problems, use this setting. This setting
provides increased verification, but may stop some
outbound mail.

Check Trust

Behavior: In addition to the certificate tests in
Verify Cert, also verifies that the certificate is from a
known valid Certificate Authority. Does not allow a
self-signed certificate or certificate from an
unknown trust. Requires a complete certificate
chain. Will also block any certificate linked to an IP
address instead of a hostname. Ends the mail
session if the trust check fails.

Recommendations: This is a very stringent setting
and can cause problems with outbound mail flow to
the recipient if the recipient’s certificate is not
properly prepared. Contact your recipient before
you use this setting, and send at least a few trial
messages to test that mail flow is not interrupted.
This setting provides secure delivery and protection
against spoofing, but may interrupt delivery if the
certificate is not signed properly.

See also other documents in the category Google Software: