Configuring TLS security for receiving and sending messages
May 23, 2024
ID 95403
To configure the TLS security mode for receiving and sending messages:
- In the application web interface window, select the Settings → Built-in MTA → TLS Encryption section.
- Under TLS settings for receiving message, in the Server TLS security level drop-down list, select one of the following TLS encryption modes for the connection between KSMG and the server that sends email messages:
- No TLS Encryption if you do not want to use TLS encryption of the connection to the server that sends email messages.
In this case, KSMG receives all messages in unencrypted form.
- Attempt TLS Encryption if you want KSMG (Server) to prompt the server sending email messages (Client) to use TLS encryption for the connection.
In this case, KSMG sends a list of supported SMTP commands to the client, including
STARTTLS, but will receive messages regardless of the Client's response. - Require TLS Encryption if you want to terminate the connection between KSMG (Server) and the server sending email messages (Client) if TLS encryption cannot be used.
In this case, KSMG sends a list of supported SMTP commands to the Client, including
STARTTLS. If the Client does not respond with aSTARTTLScommand, the connection is terminated. If the Client does send aSTARTTLScommand to the Server, KSMG responds with aReady to start TLScommand and sends the server certificate to the Client. The encrypted TLS connection is established after the Client has verified the authenticity of the Server certificate.
By default, the Attempt TLS Encryption mode is active.
- No TLS Encryption if you do not want to use TLS encryption of the connection to the server that sends email messages.
- In the Requesting client TLS certificate drop-down list, select one of the following options (not available for the No TLS Encryption mode):
- Do not request if you do not want KSMG to request the client's TLS certificate.
- Request if you want Kaspersky Secure Mail Gateway to request the client's TLS certificate, but to still be able to relay messages regardless of the certificate verification result.
- Require if you want KSMG to require a TLS certificate of the client and refuse to relay messages if the client TLS certificate does not pass verification.
Set the Request or Require mode only if you are certain that the clients supported by your mail server can provide a verifiable TLS certificate.
Correct operation of the Require mode requires selecting the Require TLS Encryption server TLS encryption mode.
By default, the value is set to Do not request.
- Under TLS settings for sending messages, in the Client TLS security level drop-down list, select one of the following TLS encryption modes for the connection between KSMG and the server that receives email messages:
- No TLS Encryption if you do not want to use TLS encryption of the connection with the server that receives email messages.
In this case, KSMG relays all messages in unencrypted form.
- Attempt TLS Encryption if you want KSMG to attempt to establish a TLS session with the receiving mail server and, if the receiving server does not support TLS, relay messages in unencrypted form.
- Require TLS Encryption and don't verify certificate if you want KSMG to relay messages only if the receiving mail server supports TLS, but regardless of the verification result of its TLS certificate.
- Require TLS Encryption and verify certificate if you want KSMG to relay messages only if the receiving mail server supports TLS, and its TLS certificate is verified successfully.
KSMG will not forward messages if these conditions are not satisfied.
By default, the Attempt TLS Encryption mode is active.
- No TLS Encryption if you do not want to use TLS encryption of the connection with the server that receives email messages.
- Click Apply.
TLS security modes for receiving and sending messages are configured.
