Policies - Secure Delivery Configuration

Updated

This article contains information on Secure Delivery, which uses TLS encryption to protect email transmissions, and provides steps to configure Secure Delivery definitions and policies for secure and reliable email delivery.

Overview

Secure Delivery uses Transport Layer Security (TLS) technology, which encrypts connections between servers and protects confidentiality and data integrity. This ensures that mail is transmitted through a Secure Sockets Layer (SSL) encrypted tunnel, thereby reducing the risk of eavesdropping, interception, and alteration of messages sent across the internet.

The Secure Delivery policy is applied when messages are delivered either:

  • Inbound from Mimecast to your organization.
  • Outbound from Mimecast to external recipients.
image.png

To use the TLS technology enabled by Mimecast Secure Delivery, you must have an SSL certificate installed on your sending and receiving server. You are strongly recommended to have an SSL certificate from a Mimecast-trusted public root certificate authority. Self-signed certificates are allowed using Relaxed TLS and should only be used temporarily when troubleshooting delivery issues.

Mimecast supports connections using TLS 1.2 and TLS 1.3 only.

Configuring a Secure Delivery Definition

You can configure a Secure Delivery definition, by using the following steps:

  1. Log in to the Mimecast Administration Console.
  2. Navigate to Policies | Gateway Policies | Secure Delivery (Definitions button).
  3. Either select the: 
    • Definition to be changed.
    • Add Secure Delivery Definition to add a new Definition.
  1. Complete the Secure Delivery definition as follows:
Field / Option Description
Description This is used to identify the definition when applying it to a policy.
Select Option Select one of the following delivery modes:
  • Default: Uses Opportunistic TLS as described below.
  • Opportunistic TLS: TLS is attempted first when sending an email. If the remote mail server does not accept it, it is delivered using standard SMTP.
  • Enforced TLS: Email is only delivered if the remote mail server accepts TLS. If TLS is not configured, the connection drops and the email delivery is queued and retried.

Ensure the recipient mail server(s) are configured to accept TLS messages if using this option. If they aren't, all emails delivered using this policy will fail. We recommend testing this communication before enforcing it across your entire organization.

  • Enforced TLS - Fall back to Secure Messaging: TLS is attempted when sending an email. If the remote mail server does not accept it, it is delivered using the Secure Messaging service or Secure Messaging - Lite. (requires an active Secure Messaging subscription on your account.)
  • No TLS: Normal SMTP delivery (not encrypted).
Encryption Mode Select one of the following encryption modes:
  • Strict - Trust EnforcedUsed for public root certificates.
  • Relaxed: Permits encryption with self-signed and other valid certificates, which may not have a complete trust chain.

We strongly recommend using the Strict-Trust Enforced mode for Secure Delivery policies. However, the relaxed mode should be considered only as a temporary solution. For example, when there is no opportunity to use a certificate with a publicly accessible trust chain.
SSL Mode Allows you to select differently ordered SSL ciphers. This caters to remote systems that do not negotiate the most secure cipher but use the first common cipher.
Select one of the following modes:
  • Default: Negotiates 128-bit ciphers, followed by 256-bit ciphers, and then followed by others (set by default).
  • Weak: Same as Medium, with support for lower-bit ciphers.
  • Medium: Same as Default, but includes additional lower-bit ciphers.
  • Strong: A mix of all supported 128-bit ciphers and higher, ordered from strongest to weakest.

We strongly recommend using this option. However, if this causes TLS handshake issues, review the SSL Mode options and select the next most suitable secure mode.

  • Very StrongA mix of supported (generally considered very strong) 128-bit ciphers and higher, ordered from strongest to weakest.
  • PFS Only: Supported Perfect Forward Secrecy (PFS) ciphers, ordered from strongest to weakest.
Deprecated TLS

By default, Mimecast will only offer TLS 1.2 for TLS negotiations.
Enable this option to support legacy TLS hosts to also negotiate TLS 1.0/1.1.
MTA STS When the MTA STS option is enabled within a Secure Delivery Definition, Outbound TLS sessions will be negotiated in the following way: 

  • Mimecast will search for and retrieve any MTA STS policies stored within DNS for the receiving domain.

  • If a valid MTA STS policy is found, Mimecast will enforce a TLS connection using the configuration defined in the MTA STS policy retrieved within DNS.

  • Should a valid MTA STS policy not be retrieved, the actions defined in the Secure Delivery Definition will be applied.

When an Outbound message sent to a recipient enforcing MTA STS fails to establish a TLS connection using the specified configuration, Mimecast will send a failure report to the RUA recipient specified in the recipient’s MTA STS policy.
Enable DANE

The Enable DANE checkbox allows you to enforce DNS-based Authentication of Named Entities (DANE).

For DANE to work, TLS needs to be enabled, and the Recipient needs to support DNSSEC. This involves configuring a valid DANE policy in the TLSA DNS record.
  1. Click on Save and Exit.

Configuring a Secure Delivery Policy

You can configure a Secure Delivery policy by using the following steps:

  1. Log in to the Mimecast Administration Console.
  2. Navigate to Policies | Gateway Policies | Secure Delivery.
  3. Either select the: 
    • Policy to be changed.
    • New Policy to create a policy.
  1. Complete the Options section as required:
Field / Option Description
Policy Narrative Describe the policy to allow you to identify it in the future quickly.
Secure Delivery Click on the Lookup button to view the list of Secure Delivery definitions. Then, click the Select button to the left of the required Definition to add it.
  1. Complete the remainder of the Policy as necessary; refer to the Policy Basics KB article if needed.
  2. Click on Save and Exit.

See Also...

Related to

Was this article helpful?
6 out of 7 found this helpful

Comments

0 comments

Please sign in to leave a comment.