Solved: C195 TLS protocol from off to preferred any issue?

SL23 · ‎05-30-2024

Hi,

i currently using C195 and under Mail Flow Policy: Default the TLS of "Encryption and Authentication" currently is OFF so want to know if I change it to "Preferred" any impact for receive incoming emails? As i assume not all incoming emails using TLS protocol?

Thanks!

Ken Stieers · ‎05-30-2024

No issue. But LOTS of your mail will probably come in via TLS once enabled.
98% of my email comes in TLS encrypted. And 99.7% outgoing...

You do want to make sure you SSL config is where you need it to be first.
So go to System Administration/SSL Configuration, make sure for inbound SMTP you enable TLS1.2 and TLS1.3 (if you're on 15.5)

Look at the cipher string...

Here's mine:

HIGH:!RC4:!aNULL:!MD5:!DSS:!EXPORT:!IDEA:!3DES@STRENGTH:!DHE-RSA-AES256-SHA:!DHE-RSA-AES128-CCM:!DHE-RSA-AES256-CCM:!ECDHE-ECDSA-CAMELLIA128-SHA256:!ECDHE-RSA-CAMELLIA128-SHA256:!ECDHE-ECDSA-CAMELLIA256-SHA384:!ECDHE-RSA-CAMELLIA256-SHA384:!ECDHE-ECDSA-AES128-CCM:!ECDHE-ECDSA-AES256-CCM

To get here, I had
HIGH:!RC4:!aNULL:!MD5:!DSS:!EXPORT:!IDEA:!3DES@STRENGTH
(Allow all the "HIGH" strength ciphers, turn off RC4, Null, MD5, DSS, Export eligible, IDEA, and 3DES, then sort by strength so it tries the best ones first)

Then either 15.0 or 15.5 turned off a stack of weak ciphers.

The default may be just fine.

View solution in original post

Ken Stieers · ‎05-30-2024

Outbound TLS is controlled under Mail Policies/Destination Controls

I would set the default policy with TLS as Preferred. This will cover over 90% of your mail. It will try to send via TLS and fall back to unencrypted if it can't negotiate a connection. You should look at the same SSL configuration as you did for inbound SMTP too.

Down the road you may have systems where you want the connection to be required (banks, for example), you would add a destination on this, page, set the domain (ex. wellsfargo.com) and set that domains config to Required and set up what needs to happen to mail where the TLS conversion can't be set up.

View solution in original post

Ken Stieers · ‎05-30-2024

No issue. But LOTS of your mail will probably come in via TLS once enabled.
98% of my email comes in TLS encrypted. And 99.7% outgoing...

You do want to make sure you SSL config is where you need it to be first.
So go to System Administration/SSL Configuration, make sure for inbound SMTP you enable TLS1.2 and TLS1.3 (if you're on 15.5)

Look at the cipher string...

Here's mine:

HIGH:!RC4:!aNULL:!MD5:!DSS:!EXPORT:!IDEA:!3DES@STRENGTH:!DHE-RSA-AES256-SHA:!DHE-RSA-AES128-CCM:!DHE-RSA-AES256-CCM:!ECDHE-ECDSA-CAMELLIA128-SHA256:!ECDHE-RSA-CAMELLIA128-SHA256:!ECDHE-ECDSA-CAMELLIA256-SHA384:!ECDHE-RSA-CAMELLIA256-SHA384:!ECDHE-ECDSA-AES128-CCM:!ECDHE-ECDSA-AES256-CCM

To get here, I had
HIGH:!RC4:!aNULL:!MD5:!DSS:!EXPORT:!IDEA:!3DES@STRENGTH
(Allow all the "HIGH" strength ciphers, turn off RC4, Null, MD5, DSS, Export eligible, IDEA, and 3DES, then sort by strength so it tries the best ones first)

Then either 15.0 or 15.5 turned off a stack of weak ciphers.

The default may be just fine.

SL23 · ‎05-30-2024

Thanks Ken,

BTW, I saw our incoming connection in TLS protocol; but outgoing connections not. Do I need to enable outgoing and how? thanks!

Ken Stieers · ‎05-30-2024

Outbound TLS is controlled under Mail Policies/Destination Controls

I would set the default policy with TLS as Preferred. This will cover over 90% of your mail. It will try to send via TLS and fall back to unencrypted if it can't negotiate a connection. You should look at the same SSL configuration as you did for inbound SMTP too.

Down the road you may have systems where you want the connection to be required (banks, for example), you would add a destination on this, page, set the domain (ex. wellsfargo.com) and set that domains config to Required and set up what needs to happen to mail where the TLS conversion can't be set up.