beautypg.com

Change the default certificate validation setting, Scope of certificate validation – Google Message Security for Google Apps Administration Guide User Manual

Page 315

background image

Transport Layer Security

315

Change the Default Certificate Validation Setting

You can change the default setting as well. When you add a new domain to Policy
Enforced TLS, it will use this Certificate Validation setting.

To change the default Certificate Validation setting

Go to Outbound TLS settings in the Administration Console.

1.

Under TLS Certificate Validation, select the default setting you wish to use.

2.

Click Save as Default.

Scope of Certificate Validation

Certificate Validation examines SSL certificates to verify a recipient’s identity. The
standard that defines TLS, RFC 2487, states clearly that the possibility of multiple
hops during email delivery makes TLS certificates unsuitable for authenticating a
sender's identity (inbound messages).

To comply with the standard, Certificate Validation authenticates the recipient’s
identity for only outbound Policy Enforced TLS. Certificate Validation is not used
for inbound mail because the RFC standards do not support this use.

Check Domain

Behavior: In addition to the certificate tests in
Verify Cert and Check Trust, also confirms that the
domain in the certificate matches the domain of the
server host. If there is a wildcard in the domain
certificate, the recipient’s domain must match the
wildcard. Will also block any certificate linked to an
IP address instead of a hostname. Ends the
session if the domain check fails.

Recommendations: This is the most stringent
setting and will cause outbound mail to fail if the
domain in the certificate does not match the domain
of the recipient’s mail server. Contact your recipient
before you use this setting, and send at least a few
trial messages to test that mail flow is not
interrupted. Be aware that mislabeled domains in
TLS certificates are not uncommon; if your recipient
is using a different domain name in certificates, mail
flow will be interrupted. This setting provides the
most secure delivery and protection against
spoofing, but has a high risk of mail flow
interruption.

TLS Certification

Description

See also other documents in the category Google Software: