To access Advanced TLS settings:
- Log in to the Symantec.cloud management console.
- Click Services > Encryption > TLS Enforcements.
- In the Domain column, click a domain name.
- Review and manage settings under the heading Advanced TLS Settings.
Note: If this setting is not available in the console, please contact Symantec Order Services for further assistance.
Advanced TLS settings explained
- Excluded sub-domains (optional) - Exclude individual sub-domains from TLS Enforcement by entering them in the text box one sub-domain per line. For example, subdomain.parentdomain.com. Sub-domains inherit TLS enforcement policy and settings by default.
- Trusted Certificate Common Names (optional) - This setting is only applicable with Strong certificate validation. In this field, supply a list of trusted certificate common names (CN). The names are compared to the CN value of the receiving mail server's SSL certificate when the receiving mail server is authenticated.
This feature is useful to deliver mail in the following situations:
- When you route mail to your inbound mail servers by IP address rather than by a host name.
In this situation there is no host name to validate the certificate against. However, in these situations a better resolution might be to modify your Inbound Routes to be host names, rather than IP addresses. See Managing your inbound email routes and Viewing your inbound routes.
- When you deliver mail to a trusted Mailhost and the CN or the SAN on the certificate does not match the host name of the mail server.
This method may let you work around an authentication issue with your inbound mail servers. A best practice is to install certificates on your mail servers with CN or SAN DNS entries, which match the host names of your mail servers.
- Mail Delivery - Can be set to Inbound route or Static route delivery. Email that is sent to this domain by TLS is delivered to the receiving mail server by your domain's inbound routes or Static Route. A static route delivers the email to a specific server.
- Your inbound mail servers are typically configured in the inbound routes screen. Only use the TLS static routes if you need to enforce TLS delivery to your mail server.
- TLS Static Route - This setting refers to a specific inbound mail server. This static route can be Host name, IP address, Host name: Port, or IP: Port.
- Certificate Validation Strong - Indicates that the inbound mail server certificate must be within date, have a full trust chain, and signed by a trusted root Certification Authority. The CN or the SAN value on the certificate must also match the host name of the mail server, or the list of Trusted Certificate Common Names. Relaxed validation means that the certificate checks are not applied.
Warning: Relaxed validation makes it easier for an attacker to masquerade as your domain, either through a DNS poisoning or man-in-the-middle attacks.