TLS enforcement is configured by associating groups of third party domains, organized in containers called Business Partners, to your registered domains.
Things to know
If your domain has no Transport Layer Security (TLS) enforcements configured, you can still send and receive emails by Opportunistic TLS.
If the Symantec.cloud Email Security Services (ESS) infrastructure receives an email from you or a third party over Opportunistic TLS, then ESS attempts to deliver the email to the recipient by using Opportunistic TLS.
If the recipient mail server does not support TLS, then ESS falls back to clear text delivery, otherwise it is delivered through TLS.
If ESS receives an email in clear text, and no TLS enforcements are configured, then ESS delivers the email to the recipient in clear text directly - no TLS is attempted.
Navigate to Services > Encryption > TLS Business Partners
Click Add New Business Partner.
Enter a business name, and then click Continue.
Click Add New Business Partner Domain. Optional: For the bulk upload of domains, use Upload New Business Partner Domains (not covered here).
Enter the domain name. Optional: Configure the Mail Delivery setting using the Static Route setting, where applicable.
Click TLS Test, and confirm that the domain is TLS capable. Optional: If the domain has certificate issues, you can change the Certificate validation setting to Relaxed or add Trusted Certificate Common Names to resolve the issues, based on the test results feedback.
Repeat steps 4 on until all third party domains are added for the business partner.
Configure TLS enforcements
To create a new TLS enforcement between your registered domains and third party domains
Under the TLS Enforcements tab, from the table of domains, click either Default Settings or a domain name (depending on the intended enforcement configuration scope).
Note: When a new enforcement is added to Default Settings, the new enforcement applies to any domains configured to use the Default Settings.
To assign a business partner to this profile
Click Add New Enforcement.
Configure the following:
Business Partner: Select the business partner that you want to apply to this profile.
Encryption Policy: Only one option is available, which is set by default.
Inbound (from the business partner's domains to you through the ESS infrastructure).
Outbound (from you to the business partner's domain through the ESS infrastructure).
Inbound and Outbound.
Click Add. Repeat this process for every business partner you wish to enforce to this profile.
Click Save at the bottom of the page.
Conditions regarding SMTP communications to a business partner with TLS enforcement
To send email to a business partner that has outbound TLS enforcement enabled, your outbound mail server must issue a STARTTLS command to the ESS server.
If your outbound mail server fails to negotiate TLS with the ESS, then ESS rejects the SMTP connection.
After the email is processed, ESS attempts to establish a secure SMTP connection to the business partner recipient over Enforced TLS.
Email is not delivered when a business partner's mail server does not support TLS, or if ESS fails to authenticate the certificate that the third-party recipient mail server presents when the domain uses Strong Validation. Undelivered mail is placed in a retry queue. If the email delivery fails after the standard retry period has ended, the email is bounced back to you.
Conditions regarding SMTP communications from a business partner with TLS enforcement
To receive an email from a business partner that has Inbound TLS enforcement enabled, the business partner's outbound mail server must issue a STARTTLS command to the ESS server.
If the business partner's outbound mail server fails to negotiate TLS with the ESS, then ESS rejects the SMTP connection.
After the email is processed, ESS attempts to establish a secure SMTP connection to your mail server over Enforced TLS.
Email is not delivered if your inbound mail server does not support TLS, or ESS fails to authenticate the certificate that your recipient mail server presents when the domain uses Strong Validation. Undelivered mail is placed in a retry queue. If the email delivery fails after the standard retry period has ended, the email is bounced back to the business partner.
Subscribing will provide email updates when this Article is updated. Login is required.
Thanks for your feedback. Let us know if you have additional comments below. (requires login)
Subscribed to the Article.
Unable to subscribe
Thanks for your additional feedback !!!
Enterprise Support Virtual Agent
Rate Me :
Tell us more:
Welcome! My name is Sami, the Enterprise Support Virtual Agent answering technical support questions.