Using the TLS protocol in the operation of Kaspersky Secure Mail Gateway

Kaspersky Secure Mail Gateway can process email messages that are sent over an encrypted link during a TLS protocol session.

TLS session is a sequence of the following events:

1. The server from which email messages are sent (Client) establishes a connection to the server to which email messages are sent (Server).
2. Servers start interacting via the SMTP protocol.
3. The Client uses the STARTTLS command to offer the Server to use TLS during SMTP interaction.
4. If the Server is able to use TLS, it responds with the Ready to start TLS command and sends the Server certificate to the Client.
5. The Client receives the certificate and, if the Client is configured accordingly, verifies the authenticity of the Server certificate.
6. The Client and the Server enable the data encryption mode.
7. The servers exchange data.
8. The session ends.

You can configure the TLS security mode for situations where Kaspersky Secure Mail Gateway receives messages from another server (acts as the Server) or sends messages to another server (acts as the Client).

Some mail servers use unencrypted channels to exchange email messages on the internet. Configuring mandatory TLS encryption in the application will make it impossible to exchange messages with such servers. For this reason, it is recommended to use the following TLS security settings with caution:

• TLS settings for receiving message → Server TLS security level = Require TLS Encryption
• TLS settings for sending messages → Client TLS security level = Require TLS Encryption and don't verify certificate or Require TLS Encryption and verify certificate

By default, the application checks the capability for TLS encryption but does not terminate a connection if encryption is not available. This lets you ensure data exchange with all servers but does not guarantee the security of the communication channels. Email messages transmitted over unencrypted channels could be intercepted, spoofed, or modified by hackers.

To ensure the authenticity and confidentiality of transmitted messages, it is recommended to configure S/MIME in the settings of the mail client being used in your organization.

If you chose to use TLS encryption in application settings to ensure safe data transfer, you will need a security certificate (hereinafter also referred to as the "TLS certificate"). You can use the default certificate automatically created by the application or add your own certificate.

In this Help section Configuring TLS security for receiving and sending messages Managing TLS certificates

Page top