Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
412
Views
2
Helpful
3
Replies

C195 TLS protocol from off to preferred any issue?

Go to solution
SL23
Level 1
Level 1

‎05-30-2024 01:36 AM

Hi,

i currently using C195 and under Mail Flow Policy: Default the TLS of "Encryption and Authentication" currently is OFF so want to know if I change it to "Preferred" any impact for receive incoming emails? As i assume not all incoming emails using TLS protocol?

Thanks!

 

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Ken Stieers
VIP
VIP

‎05-30-2024 10:18 AM

No issue. But LOTS of your mail will probably come in via TLS once enabled.
98% of my email comes in TLS encrypted. And 99.7% outgoing...

You do want to make sure you SSL config is where you need it to be first.
So go to System Administration/SSL Configuration, make sure for inbound SMTP you enable TLS1.2 and TLS1.3 (if you're on 15.5)

Look at the cipher string...

Here's mine:

HIGH:!RC4:!aNULL:!MD5:!DSS:!EXPORT:!IDEA:!3DES@STRENGTH:!DHE-RSA-AES256-SHA:!DHE-RSA-AES128-CCM:!DHE-RSA-AES256-CCM:!ECDHE-ECDSA-CAMELLIA128-SHA256:!ECDHE-RSA-CAMELLIA128-SHA256:!ECDHE-ECDSA-CAMELLIA256-SHA384:!ECDHE-RSA-CAMELLIA256-SHA384:!ECDHE-ECDSA-AES128-CCM:!ECDHE-ECDSA-AES256-CCM

To get here, I had
HIGH:!RC4:!aNULL:!MD5:!DSS:!EXPORT:!IDEA:!3DES@STRENGTH
(Allow all the "HIGH" strength ciphers, turn off RC4, Null, MD5, DSS, Export eligible, IDEA, and 3DES, then sort by strength so it tries the best ones first)

Then either 15.0 or 15.5 turned off a stack of weak ciphers.

The default may be just fine.


View solution in original post

Go to solution
Ken Stieers
VIP
VIP
In response to SL23

‎05-30-2024 08:10 PM

Outbound TLS is controlled under Mail Policies/Destination Controls

I would set the default policy with TLS as Preferred. This will cover over 90% of your mail. It will try to send via TLS and fall back to unencrypted if it can't negotiate a connection. You should look at the same SSL configuration as you did for inbound SMTP too.


Down the road you may have systems where you want the connection to be required (banks, for example), you would add a destination on this, page, set the domain (ex. wellsfargo.com) and set that domains config to Required and set up what needs to happen to mail where the TLS conversion can't be set up.

View solution in original post

3 Replies 3

Go to solution
Ken Stieers
VIP
VIP

‎05-30-2024 10:18 AM

No issue. But LOTS of your mail will probably come in via TLS once enabled.
98% of my email comes in TLS encrypted. And 99.7% outgoing...

You do want to make sure you SSL config is where you need it to be first.
So go to System Administration/SSL Configuration, make sure for inbound SMTP you enable TLS1.2 and TLS1.3 (if you're on 15.5)

Look at the cipher string...

Here's mine:

HIGH:!RC4:!aNULL:!MD5:!DSS:!EXPORT:!IDEA:!3DES@STRENGTH:!DHE-RSA-AES256-SHA:!DHE-RSA-AES128-CCM:!DHE-RSA-AES256-CCM:!ECDHE-ECDSA-CAMELLIA128-SHA256:!ECDHE-RSA-CAMELLIA128-SHA256:!ECDHE-ECDSA-CAMELLIA256-SHA384:!ECDHE-RSA-CAMELLIA256-SHA384:!ECDHE-ECDSA-AES128-CCM:!ECDHE-ECDSA-AES256-CCM

To get here, I had
HIGH:!RC4:!aNULL:!MD5:!DSS:!EXPORT:!IDEA:!3DES@STRENGTH
(Allow all the "HIGH" strength ciphers, turn off RC4, Null, MD5, DSS, Export eligible, IDEA, and 3DES, then sort by strength so it tries the best ones first)

Then either 15.0 or 15.5 turned off a stack of weak ciphers.

The default may be just fine.


Go to solution
SL23
Level 1
Level 1

‎05-30-2024 07:23 PM - edited ‎05-30-2024 07:23 PM

Thanks Ken, 

BTW, I saw our incoming connection in TLS protocol; but outgoing connections not. Do I need to enable outgoing and how? thanks!

0 Helpful

Go to solution
Ken Stieers
VIP
VIP
In response to SL23

‎05-30-2024 08:10 PM

Outbound TLS is controlled under Mail Policies/Destination Controls

I would set the default policy with TLS as Preferred. This will cover over 90% of your mail. It will try to send via TLS and fall back to unencrypted if it can't negotiate a connection. You should look at the same SSL configuration as you did for inbound SMTP too.


Down the road you may have systems where you want the connection to be required (banks, for example), you would add a destination on this, page, set the domain (ex. wellsfargo.com) and set that domains config to Required and set up what needs to happen to mail where the TLS conversion can't be set up.

Customers Also Viewed These Support Documents