cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3159
Views
15
Helpful
8
Replies

Enforced TLS

We have enforced TLS for few email domains and for some domains we haven’t applied Limit_type or Limit apply does that mean the enforced TLS is not working for that domain?

2 Accepted Solutions

Accepted Solutions

TLS is enforced in both of those.

Both have a limit on the number of mails per connection it will attempt.

 

The second one has limit set on the number of recipients it can send to per 60 minutes, but that limit looks to be zero?

So.. I'd bet that ought to be something higher?

destinationControls.PNG

 

View solution in original post

Nope, just outbound.
To force inbound, its harder... you have to configure a mail flow policy sender group to require it.
Sender groups are based on IP. You can put domains in the config, but since so many companies are using other systems to send mail, you have no guarantee that you're forcing all of any specific company's mail to be encrypted.
For example, if Example company is using Office 365, you can't use example.com or .example.com in the config, you have to use whatever MS's servers have... or whatever last hope they're using (Cisco?, Proofpoint? Mimecast?, Secureance?, mailgun? Etc....)
Generally when this has been a requirement, we've had a conversation with the other side to make sure they're requiring mail to go encrypted to us.

View solution in original post

8 Replies 8

Vinay babu
Level 1
Level 1

While enforcing TLS for any external domain (Mail Policies >> Destination Controls), we have to apply limits. However, if you want to know whether the emails are delivering to enforced TLS domains or not, do Message tracking to see what's happening. thanks.

I'm not sure what those limits you're referencing are...
They aren't labeled in the GUI or CLI....
There are limit settings for the max number of recipients and if that limit is for the whole ESA or per virtual gateway (if you're using them)...
Not having those set does not turn off the TLS requirements.

Hi Ken,  

 

Thank you for the update. I meant something like below: Does this configuration means one domain is enforced and one not?

 

[example.com]
table_tls=require

max_message_per_connection=50

 

[example.com]
table_tls=require

max_message_per_connection=50

recepient_minutes=60

limit_type=host

limit_apply=system

recepient_limit=0

 

Many thanks

Rem

TLS is enforced in both of those.

Both have a limit on the number of mails per connection it will attempt.

 

The second one has limit set on the number of recipients it can send to per 60 minutes, but that limit looks to be zero?

So.. I'd bet that ought to be something higher?

destinationControls.PNG

 

Thank you so much Ken. So that means both the case the emails are enforced both inbound and outbound right?

Nope, just outbound.
To force inbound, its harder... you have to configure a mail flow policy sender group to require it.
Sender groups are based on IP. You can put domains in the config, but since so many companies are using other systems to send mail, you have no guarantee that you're forcing all of any specific company's mail to be encrypted.
For example, if Example company is using Office 365, you can't use example.com or .example.com in the config, you have to use whatever MS's servers have... or whatever last hope they're using (Cisco?, Proofpoint? Mimecast?, Secureance?, mailgun? Etc....)
Generally when this has been a requirement, we've had a conversation with the other side to make sure they're requiring mail to go encrypted to us.

Also can you please explain what is the main difference in the configuration in the both the case?

Top one has it enabled using defaults for the connection and recipient limits.
Top one has its own connection limits.
This is much easier to understand if you use the gui. Its under Mail Policies/Destination Controls.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: