Configuring TLS policies to enforce encryption between your mail servers and the Email Security Services infrastructure.

Configure policies to enforce TLS encryption between your domains and the domains of third-party business partner organizations.

Email Security.cloud

TLS enforcement is configured by associating groups of third party domains, organized in containers called Business Partners, to your registered domains.

Things to know:

• If your domain has no Transport Layer Security (TLS) enforcement configured, you can still send and receive emails by Opportunistic TLS.
• If the Symantec.cloud Email Security Services (ESS) infrastructure receives an email from you or a third party over Opportunistic TLS, then ESS attempts to deliver the email to the recipient by using Opportunistic TLS.
• If the recipient mail server does not support TLS, then ESS falls back to clear text delivery, otherwise it is delivered through TLS.
• If ESS receives an email in clear text, and no TLS enforcement are configured, then ESS delivers the email to the recipient in clear text directly - No TLS is attempted.

Before proceeding:

1. Log in to the Symantec.cloud console.
2. Navigate to Services > Encryption > TLS Business Partners, and configure Business Partners to contain the third party domains that you wish to configure the enforcement for.

Create business partners

To configure a new business partner

1. Log in to the Symantec.cloud console.
2. Navigate to Services > Encryption > TLS Business Partners.
3. Click Add New Business Partner.
4. Enter a business name, and then click Continue.
5. Click Add New Business Partner Domain.
   Optional: For the bulk upload of domains, use Upload New Business Partner Domains (not covered here).
6. Enter the domain name.
   Optional: Configure the Mail Delivery setting using the Static Route setting, where applicable.
7. Click TLS Test, and confirm that the domain is TLS capable.
   Optional: If the domain has certificate issues, you can change the Certificate validation setting to Relaxed or add Trusted Certificate Common Names to resolve the issues, based on the test results feedback.
8. Click Save.
9. Repeat steps 4 on until all third party domains are added for the business partner.

Configure TLS enforcements

To create a new TLS enforcement between your registered domains and third party domains

1. Log in to the Symantec.cloud console.
2. Navigate to Services > Encryption.
3. Under the TLS Enforcements tab, from the table of domains, click either Default Settings or a domain name (depending on the intended enforcement configuration scope).

Note: When a new enforcement is added to Default Settings, the new enforcement applies to any domains configured to use the Default Settings.

To assign a business partner to this profile:

1. Click Add New Enforcement.
2. Configure the following:
   • Business Partner: Select the business partner that you want to apply to this profile.
   • Encryption Policy: Only one option is available, which is set by default.
   • Direction:
     • Inbound (from the business partner's domains to you through the ESS infrastructure).
     • Outbound (from you to the business partner's domain through the ESS infrastructure).
     • Inbound and Outbound.
3. Click Add. Repeat this process for every business partner you wish to enforce to this profile.
4. Click Save at the bottom of the page.

Conditions regarding SMTP communications to a business partner with TLS enforcement

• To send email to a business partner that has outbound TLS enforcement enabled, your outbound mail server must issue a STARTTLS command to the ESS server.
  • If your outbound mail server fails to negotiate TLS with the ESS, then ESS rejects the SMTP connection.
• After the email is processed, ESS attempts to establish a secure SMTP connection to the business partner recipient over Enforced TLS.
  • Email is not delivered when a business partner's mail server does not support TLS, or if ESS fails to authenticate the certificate that the third-party recipient mail server presents when the domain uses Strong Validation. Undelivered mail is placed in a retry queue. If the email delivery fails after the standard retry period has ended, the email is bounced back to you.

Conditions regarding SMTP communications from a business partner with TLS enforcement

• To receive an email from a business partner that has Inbound TLS enforcement enabled, the business partner's outbound mail server must issue a STARTTLS command to the ESS server.
  • If the business partner's outbound mail server fails to negotiate TLS with the ESS, then ESS rejects the SMTP connection.
• After the email is processed, ESS attempts to establish a secure SMTP connection to your mail server over Enforced TLS.
  • Email is not delivered if your inbound mail server does not support TLS, or ESS fails to authenticate the certificate that your recipient mail server presents when the domain uses Strong Validation. Undelivered mail is placed in a retry queue. If the email delivery fails after the standard retry period has ended, the email is bounced back to the business partner.