---

1. What type of certificate should we buy ? Means is there any specific certificate dedicate to such encryption or we just simply ask third party certificate authority about it ?

2. We are using two ESA devices for outbound emails and I believe we require one certificate for each device. Correct me if I am wrong.

3. As there are variety of certificate available at third party CA authority what are the type of certificate is required for ESA TLS encryption?

4.Is there any detailed document/video where I can find the ESA TLS Encryption and end user decryption in as well.

5.In case of emails drops or deliverable, how to trace and restore them?       

1. you can buy a standard web server cert, nothing special.  We use our wild card.

2. you want the cert to match the A record that points at the ESA and you want the ESA to use that name on the interface so that's what shows up in the HELO/EHLO response.  Not everyone verifies certs, but you want it to match if they do... which is why we use a wildcard. 

3. same question as number 1, same answer 

4. Users never have to interact with TLS, there are probably Youtubes around, I don't have links.  I know there are videos around for the encrypted envelope stuff, but I don't have links.

5.  You can set outbound mail that requires encryption to notify the sender if it fails, so your users will have the mail, no recovery required... the ESA doesn't keep it...  If you're dropping mail using some sort of content filter, you can add an action to archive or quarantine the mail before you drop it...