Configuring TLS security for incoming email messages

To configure TLS security mode for situations when Kaspersky Secure Mail Gateway receives messages from another server (acts in the Server role):

1. In the main window of the application web interface, open the management console tree and select the Domains section.
2. Click any link to open the TLS settings window.
3. In the Server TLS security level settings group, select one of the following modes of TLS encryption of the connection between Kaspersky Secure Mail Gateway and the server that sends email messages:
   • No TLS Encryption if you do not want to use TLS encryption of the connection to the server that sends email messages.

     In this case, Kaspersky Secure Mail Gateway receives all messages in unencrypted form.

   • Accept TLS Encryption, if you want Kaspersky Secure Mail Gateway to prompt the server sending email messages to use TLS encryption of the connection.

     In this case, Kaspersky Secure Mail Gateway uses the STARTTLS command to offer the server that sends email messages to use TLS encryption, but accepts messages regardless of the server's response.

   • Require TLS Encryption, if you want Kaspersky Secure Mail Gateway to require that the server sending email messages must use TLS encryption of the connection.

     In this case, the server that is sending email messages (Client) uses the STARTTLS command to offer Kaspersky Secure Mail Gateway to use TLS encryption. Kaspersky Secure Mail Gateway responds with the Ready to start TLS command and sends the Server certificate to the Client and also requires the Client to verify the authenticity of the Server certificate. The encrypted TLS connection is established after the Client has verified the authenticity of the Server certificate.

4. In the Providing Server TLS certificate settings group, select the TLS certificate of the server to be sent by Kaspersky Secure Mail Gateway to the Client for authentication at the beginning of each TLS session.

   You can create or import a TLS certificate in the Encryption Keys section, TLS subsection of the main window of the Kaspersky Secure Mail Gateway web interface.

5. In the Requesting Client TLS certificate settings group, select one of the following options:
   • Do not request if you want Kaspersky Secure Mail Gateway not to request the client's TLS certificate.
   • Request if you want Kaspersky Secure Mail Gateway to request the client's TLS certificate but to still be able to redirect messages regardless of the certificate verification result.
   • Require if you want Kaspersky Secure Mail Gateway to require the client's TLS certificate and not forward messages on detecting an invalid name or invalid TLS certificate of the client.

     Set the Request or Require mode only if you are certain that the clients supported by your mail server can provide a verifiable TLS certificate.

6. Click the OK button.

See also Domains and configuration of email routing Adding a record to the transport map and configuring email routing (transport_map) Adding a local domain (relay_domain) Deleting a record from the transport map Modifying email routing for a domain (transport_map) About using the TLS protocol in the operation of Kaspersky Secure Mail Gateway Configuring TLS security for outgoing email messages About the DKIM signature for outgoing messages Enabling and disabling the DKIM signature for outgoing messages Preparing to add the DKIM signature to outgoing messages Adding the DKIM signature to messages from addresses from a specific domain About using the TLS protocol in the operation of Kaspersky Secure Mail Gateway Creating a TLS certificate Deleting a TLS certificate Preparing a self-signed TLS certificate for import Preparing to import a TLS certificate signed by a certification authority Importing the TLS certificate from file

Page top