05-27-2015 09:40 AM
Hello,
I want to know the steps needed to enable TLS.
This is the scenario:
The ESA is used as a relay from an internal host (no TLS needed).
All the emails coming from this internal hosts use the same source domain.
The ESA is configured to use a public relay (Google Mail) from the Internet, for all the emails coming from this internal host, this is configured by an outgoing content filter. TLS is needed in this part of the communication.
I have created the SMTP authentication profile and I used it in the listener.
I also enabled it in the mail flow policy.
Do I need something else?
I really want to be sure if I need any more configuration.
In the tests I make, I get this answer:
Double bounce: Message 94130457 to BASIS@quimtia.com. Reason: 5.1.0 - Unknown address error 550-"5.1.1 The email account that you tried to reach does not exist. Please try\\n5.1.1 double-checking the recipient\'s email address for typos or\\n5.1.1 unnecessary spaces. Learn more at\\n5.1.1 http://support.google.com/mail/bin/answer.py?answer=6596 lq5si6916488igb.63 - gsmtp"
thanks for your help!
05-28-2015 08:01 PM
Hello Sliza,
I believe from my understanding of your scenario,
Outbound traffic routing is
Internal host To ESA (no TLS is required.
ESA -> Google Server (Requiring TLS)
Then Google public relay server -> Internet
If you are requiring TLS from the ESA to this google public relay server, where the recipient domains may be all external based.
I would suggest going to GUI > Mail Policies > Destination Controls
On the default destination control, change TLS to 'preferred'
So when any deliveries are being done, TLS will be used when available, else it will fall-back to plain text.
If you want to set TLS to required, meaning if TLS is not able to be negotiated, the email is dropped only for this google public relay server deliveries then you will need to use this workaround.
Create a new content filter.
Conditions would be if the remote IP is your internal host IP
Actions -> Send to alternate destination host -> tlshost.route
Submit this content filter.
GUI > Network > SMTP routes
Add a new SMTP route
Receiving Domain will be -> tlshost.route
Destination hosts: priority = 0, the destination host will be the google public relay server that you will deliver these emails to
Submit this SMTP route.
Then go to GUI > Mail Policies > Destination Controls
Add a new destination control.
Destination -> tlshost.route
TLS support -> Required
Submit this destination control.
Then go to GUI > Mail Policies > Outgoing Mail Policies
Enable your content filter you created on the policies where required.
Submit this and commit change.
Regards,
Matthew
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide