Configuring TLS security for receiving and sending messages
26 April 2024
ID 95403
To configure the TLS security mode for receiving and sending messages:
- In the application web interface window, select the Settings → Built-in MTA → TLS Encryption section.
- In the TLS settings for receiving message group of settings, in the Server TLS security level drop-down list, select one of the following modes of TLS encryption of the connection between Kaspersky Secure Mail Gateway and the server that sends email messages:
- No TLS Encryption if you do not want to use TLS encryption of the connection to the server that sends email messages.
In this case, Kaspersky Secure Mail Gateway receives all messages in unencrypted form.
- Attempt TLS Encryption if you want Kaspersky Secure Mail Gateway (Server) to prompt the server sending email messages (Client) to use TLS encryption of the connection.
In this case, Kaspersky Secure Mail Gateway sends a list of supported SMTP commands to the client, including
STARTTLS, but receives messages regardless of the Client's response. - Require TLS Encryption if you want to terminate the connection between Kaspersky Secure Mail Gateway (Server) and the server sending email messages (Client) if TLS encryption cannot be used.
In this case, Kaspersky Secure Mail Gateway sends a list of supported SMTP commands to the Client, including
STARTTLS. If the Client does not respond with aSTARTTLScommand, the connection is terminated. If the Client does send aSTARTTLScommand to the Server, Kaspersky Secure Mail Gateway responds with aReady to start TLScommand and sends the server certificate to the Client. The encrypted TLS connection is established after the Client has verified the authenticity of the Server certificate.
By default, the Attempt TLS Encryption mode is active.
- No TLS Encryption if you do not want to use TLS encryption of the connection to the server that sends email messages.
- In the Requesting client TLS certificate drop-down list, select one of the following options (not available for the No TLS Encryption mode):
- Do not request if you want Kaspersky Secure Mail Gateway not to request the client's TLS certificate.
- Request if you want Kaspersky Secure Mail Gateway to request the client's TLS certificate but to still be able to redirect messages regardless of the certificate verification result.
- Require if you want Kaspersky Secure Mail Gateway to require a TLS certificate of the client and refuse to forward messages if the client TLS certificate does not pass authentication.
Set the Request or Require mode only if you are certain that the clients supported by your mail server can provide a verifiable TLS certificate.
Correct operation of the Require mode requires selecting the Require TLS Encryption server TLS encryption mode.
By default, the value is set to Do not request.
- In the TLS settings for sending messages group of settings, in the Client TLS security level drop-down list, select one of the following modes of TLS encryption of the connection between Kaspersky Secure Mail Gateway and the server that receives email messages:
- No TLS Encryption if you do not want to use TLS encryption of the connection with the server that receives email messages.
In this case, Kaspersky Secure Mail Gateway redirects all messages in unencrypted form.
- Attempt TLS Encryption if you want Kaspersky Secure Mail Gateway to attempt to establish a TLS session with the receiving mail server and, if the receiving server does not support TLS, redirect messages in unencrypted form.
- Require TLS Encryption and don't verify certificate if you want Kaspersky Secure Mail Gateway to forward messages only if the receiving mail server supports TLS, but regardless of the authentication results of its TLS certificate.
- Require TLS Encryption and verify certificate if you want Kaspersky Secure Mail Gateway to forward messages only if the receiving mail server supports TLS, and its TLS certificate authenticates successfully.
Kaspersky Secure Mail Gateway does not redirect messages when these conditions are not satisfied.
By default, the Attempt TLS Encryption mode is active.
- No TLS Encryption if you do not want to use TLS encryption of the connection with the server that receives email messages.
- Click Apply.
TLS security modes for receiving and sending messages are configured.
