Configuring TLS security for Kaspersky Secure Mail Gateway in Server role

To configure TLS security mode for situations when Kaspersky Secure Mail Gateway receives messages from another server (acts in the Server role):

1. In the main window of the application web interface, open the management console tree and select the Domains section.
2. Click any link to open the TLS settings window.
3. In the Server TLS security level settings group, select one of the following modes of TLS encryption of the connection between Kaspersky Secure Mail Gateway and the server that sends email messages:
   • No TLS Encryption if you do not want to use TLS encryption of the connection to the server that sends email messages.

     In this case, Kaspersky Secure Mail Gateway receives all messages in unencrypted form.

   • Accept TLS Encryption if you want Kaspersky Secure Mail Gateway to offer TLS encryption of the connection to the server that sends email messages.

     In this case, Kaspersky Secure Mail Gateway uses the STARTTLS command to offer the server that sends email messages to use TLS encryption, but accepts messages regardless of the server's response.

   • Require TLS Encryption if you want Kaspersky Secure Mail Gateway to require the server that sends email messages to use TLS encryption of the connection.

     In this case, the server that is sending email messages (Client) uses the STARTTLS command to offer Kaspersky Secure Mail Gateway to use TLS encryption. Kaspersky Secure Mail Gateway responds with the STARTTLS command and sends the Server certificate to the Client and also requires the Client to verify the authenticity of the Server certificate. The encrypted TLS connection is established after the Client has verified the authenticity of the Server certificate.

4. In the Providing Server TLS certificate settings group, select the TLS certificate of the server to be sent by Kaspersky Secure Mail Gateway to the Client for authentication at the beginning of each TLS session.

   You can create or import a TLS certificate in the Encryption keys section, TLS subsection of the main window of the Kaspersky Secure Mail Gateway web interface.

5. In the Requesting Client TLS certificate settings group, select one of the following options:
   • Do not request if you want Kaspersky Secure Mail Gateway not to request the client's TLS certificate.
   • Request if you want Kaspersky Secure Mail Gateway to request the client's TLS certificate but to still be able to redirect messages regardless of the certificate verification result.
   • Require if you want Kaspersky Secure Mail Gateway to require the client's TLS certificate and not forward messages on detecting an invalid name or invalid TLS certificate of the client.

     Set the Request or Require mode only if you are certain that the clients supported by your mail server can provide a verifiable TLS certificate.

6. Click OK.

See also Using the TLS protocol in the operation of Kaspersky Secure Mail Gateway About using the TLS protocol in the operation of Kaspersky Secure Mail Gateway Configuring TLS security for Kaspersky Secure Mail Gateway in Client role Creating a TLS certificate Deleting a TLS certificate Preparing a self-signed TLS certificate for import Preparing to import a TLS certificate signed by a certification authority Importing the TLS certificate from file

Page top