How to Enforce TLS

This page describes how to enforce TLS and behavior from a Spambrella Sender and Recipient point of view. In both cases below, we do recommend that the filters created be for the recipient.

Setup and enable TLS 1.2 support in Exchange

Situation – Properly configure your on-premise Exchange environment for TLS. How to set-up and enable TLS 1.2 in Exchange.

Solution – Microsoft has a published KB that walks you through how to set up and enable TLS. We refer customers to the following Microsoft KB guide that walks you through enabling TLS 1.2 in Exchange.

TLS Outbound with Spambrella
This is the Spambrella sender’s perspective.

Most customers will want to utilize TLS for outbound, to ensure secure mail transport.

  • By default, the Spambrella outbound relay will use opportunistic TLS for initial sending.
  • If the recipient server is not accepting our TLS session, we will fall back to standard transport and deliver anyway.

If an outbound filter is created then the condition should be based on the recipient domain (not the Spambrella customer). The action should be ‘Nothing,’ and the secondary action can be:

  • “Enforce completely secure SMTP delivery”
    • The sender must have a valid certificate in place.
    • The domain name used to send must match the exact same domain on the certificate unless it is a wildcard certificate.
    • If there is no certificate, we will not deliver the email.
  •  “Enforce only TLS on SMTP delivery”
    • No certificate required. The downstream server simply needs to accept the traffic over TLS.
    • If the downstream server does not accept TLS, we will not deliver the email.

TLS Inbound
This is the Spambrella recipient’s perspective.

This is to ensure that mail from the Spambrella environment to the customer’s mail server environment is over TLS. By default, we attempt this over TLS to begin with.

If an inbound filter is created then the condition should be based on the recipient (the Spambrella customer), the action should be ‘Nothing’ and the secondary action can be:

  • “Enforce completely secure SMTP delivery”
    • Same as above. A valid certificate with domains matching required, or we will not deliver.
  •  “Enforce only TLS on SMTP delivery”
    • Also similar. No certificate required, but the server we are passing the mail off to needs to accept the TLS connection, or we will not deliver.

If you have questions regarding filters within Spambrella. Please email [email protected] for assistance.