How Do I Set Up TLS in MailMarshal (SEG)?


This article applies to:

  • Trustwave MailMarshal (SEG)

Question:

  • How Do I Set Up TLS in Trustwave MailMarshal (SEG)?

Procedure:

TLS or Transport Layer Security is a method of creating a secure connection between servers over which email can be transported.  This is accomplished by using the same security technology used for HTTPS Web connections. TLS is generally used to provide a secure (encrypted) transport over which email communications including the headers, body and attachments are delivered.

TLS uses public/private key cryptography. The Public Key is provided by the receiving server.

TLS is an extension to the SMTP protocol (ESMTP) and it requires SEG/MailMarshal to use the EHLO command (default setting). TLS cannot be used if you have configured SEG to use HELO.

TLS for SMTP is defined in Internet RFC 2487, SMTP Service Extension for Secure SMTP over TLS.

Note: The RFC specifies that you must not require TLS for incoming local delivery email on your publicly advertised servers (MX records for your domains).

Setting Up TLS

Note: For more details and advanced usage, see the "related articles" listed at the end of this article.

Setting up TLS on a single server SEG installation involves 3 tasks:

  1. Creating or importing a TLS Certificate
  2. Enabling TLS for mail incoming to SEG
  3. Enabling TLS for mail outbound from SEG

To perform these tasks, open the SEG Configurator and navigate to Server and Array Configuration.

SEG allows you to use a self-signed certificate, or a certificate signed by a public Certificate Authority. A self-signed certificate is adequate in many cases. You must create or import a valid certificate before you can enable TLS.

Note: For additional information about the dialogs and fields described below, see the SEG Help.

To create or import a certificate:

  1. In Server and Array Configuration (MailMarshal (SEG) 10.X: Mail Servers), double-click a node name to open node properties.
  2. Select the Inbound Security (TLS) tab.
  3. Click TLS Certificate Wizard.
  4. Complete the wizard to create or import a certificate.

To enable Inbound TLS:

  1. In Server and Array Configuration (MailMarshal (SEG) 10.X: Mail Servers), double-click a node name to open node properties.
  2. Select the Inbound Security (TLS) tab.
  3. Select Enable TLS.
  4. In MailMarshal (SEG) 10.X, select one or more Elliptic Curves for key exchange. Trustwave suggests the X25519 and secp384r1 curves.
    • Be aware that with TLSv1.3 (present in MailMarshal (SEG) 10.X), if the remote server supports TLSv1.3 and a curve cannot be agreed, email will not be delivered. This issue can affect delivery from Gmail because Google does not use the secp521r1 curve.

To enable Outbound TLS:

  1. In Server and Array Configuration, click Array Properties.
  2. Select the Outbound Security (TLS) tab
  3. Select Connect using TLS when supported.
  4. If you want to offer a client certificate when requested by the remote server, select Offer certificate on request.

Installations With More Than One Email Processing Node

If your SEG installation has more than one email processing node, you must create or import a certificate, and enable inbound TLS, on each node.

Reporting on TLS Activity

  • Messages that SEG delivers using TLS are classified "Delivered successfully over TLS."
  • Messages that are held for retry because TLS is not available are classified "Temporarily undeliverable due to TLS."

You can review these classifications in the Console and Reports.

  • When SEG receives a message using TLS, the Received line includes information about the TLS version, and in later SEG versions the cipher. For instance:

Received: from client03 (Not Verified[127.0.0.1]) by vm-example03 with Trustwave SEG (v7,3,0,7277) (using TLS: TLSv1, AES128-SHA)

  • In current versions, you can use rule conditions to report on received messages. In earlier versions, you can set up a rule using Header Match to harvest this Received information into the database so it will be available in the Console and Reports. 
    • For details of these options, see Trustwave Knowledgebase article Q13829.

Checking Client Certificates

In version 7.1 and above, you can use rules to check the validity of client certificates presented when mail is delivered to SEG. 

Note: Checking of client certificates (in particular certificate revocation) requires that the nodes have open access to HTTP and HTTPS websites. You can use a web proxy server. This access is required to access Certificate Revocation Lists for validation of certificates. If you do not check the validity of client certificates this access is not required.

Advanced Usage

With some care you can configure your email environment to require TLS for all internal connections. You can configure SEG to require TLS outbound for specified domains. With cooperation from an external organization, you can configure required TLS for all messages between the two organizations.

The following sections provide general guidance on how to achieve these goals.

Requiring TLS for internal connections

Before requiring TLS for internal connections, ensure that all internal email servers support TLS for sending and receiving email. Configure the internal servers before setting SEG to require TLS.

To require TLS for outbound email:

  1. Dedicate a SEG email processing node to send email outbound from your local network.
  2. On the properties of that node, on the Inbound Security (TLS) tab, select Require TLS for all inbound connections.

To require TLS for connections to internal email servers:

  1. In Server and Array Configuration, click Array Properties.
  2. Select the Outbound Security (TLS) tab
  3. Select Require TLS > for the following domains
  4. Enter the domain names of your local delivery domains.
    • You can use wildcards, with the same syntax available for User, Group, and Local Domain matching (for details, see Help or the User Guide).

Notes:

  • For help setting up TLS with Microsoft Exchange, see the following Microsoft Knowledge Base article: http://support.microsoft.com/kb/829721
  • You can enhance security further by ensuring that the internal email servers require client connections to be encrypted.
  • The SEG POP3 service does not support SSL.

Requiring TLS for external connections

Before requiring TLS for a specific domain or server, be sure that the domain’s servers do in fact support TLS.

To require TLS for outbound email to a specific domain:

  1. In Server and Array Configuration, click Array Properties.
  2. Select the Outbound Security (TLS) tab
  3. Select Require TLS > for the following domains
  4. Enter the domain names of domains for which you want to require TLS. Do not specify IP addresses (SEG cannot currently enforce TLS for IP addresses).
    • You can use wildcards, with the same syntax available for User, Group, and Local Domain matching (for details, see Help or the User Guide).

Note: If you require TLS for a domain but TLS is not available at the servers for that domain, email to the domain will not be delivered.

Note: In SEG 7.5.5 and above, you can choose to send over TLS based on rule conditions. See the User Guide and Help for your installed version.

To require TLS for inbound email from a specific domain:

This task requires the cooperation of the email administrator for the other domain. If the other domain uses SEG, they can follow the steps above. The same general configuration can be set up on other email servers.

Last Modified 5/1/2020.
https://support.trustwave.com/kb/KnowledgebaseArticle11636.aspx