Messaging Gateway

Hello,

We are using latest version of SMG (10.7.3-5). Recently we noticed that we are not able to receive emails from one of the vendor due to use of TLS in mail transactions by them. We noticed that we have not enabled TLS encryption in our SMG and believe that we need to enable it in the HOST Configuration > SMTP > Inbound > Encryption settings. We would like guidance on it as follows,

+ There are 2 options to tick but both are disabled. 1) Accept TLS encryption and 2) Request client certificate. Is it that we need to create a TLS certificate (self-signed in our case) in order to get those options enabled ?
+ Creating TLS certificate and enabling to accept TLS encryption for inbound message in SMG will have any effect to others in receiving emails ?
+ Enabling accept TLS encryption for inbound message in SMG will have any effect for outbound messages by any chance ?
+ Enabling accept TLS encryption for inbound message in SMG is all that is required or do we also need to make changes in our Email servers ?

Please guide.
Thanks in advance.
K

To enable inbound TLS, you will need to have a certificate that is signed by a reputable certificate authority (not self-signed).

You want to enable "Accept TLS encryption" and select the certificate but do not need to enable "Request client certificate" (this is an optional feature that most environments do not use).

This process should not affect others sending email or have any affect on outbound email.

No changes to the mail servers would be required.

------------------------------
Strategic Support Engineer
Broadcom
------------------------------

Original Message:
Sent: 07-26-2020 03:30 AM
From: Kalpesh Chudasama
Subject: Cannot receive some emails with STARTTLS error

Hello,

We are using latest version of SMG (10.7.3-5). Recently we noticed that we are not able to receive emails from one of the vendor due to use of TLS in mail transactions by them. We noticed that we have not enabled TLS encryption in our SMG and believe that we need to enable it in the HOST Configuration > SMTP > Inbound > Encryption settings. We would like guidance on it as follows,

+ There are 2 options to tick but both are disabled. 1) Accept TLS encryption and 2) Request client certificate. Is it that we need to create a TLS certificate (self-signed in our case) in order to get those options enabled ?
+ Creating TLS certificate and enabling to accept TLS encryption for inbound message in SMG will have any effect to others in receiving emails ?
+ Enabling accept TLS encryption for inbound message in SMG will have any effect for outbound messages by any chance ?
+ Enabling accept TLS encryption for inbound message in SMG is all that is required or do we also need to make changes in our Email servers ?

Please guide.
Thanks in advance.
K

Hello Steven,

Thanks for receptive reply.

Can you suggest some CA which would work without much of cost ! Can we use wild card certificates...

Thanks and regards,
K
Original Message:
Sent: 07-27-2020 11:47 AM
From: Steven R
Subject: Cannot receive some emails with STARTTLS error

To enable inbound TLS, you will need to have a certificate that is signed by a reputable certificate authority (not self-signed).

You want to enable "Accept TLS encryption" and select the certificate but do not need to enable "Request client certificate" (this is an optional feature that most environments do not use).

This process should not affect others sending email or have any affect on outbound email.

No changes to the mail servers would be required.

------------------------------
Strategic Support Engineer
Broadcom

Original Message:
Sent: 07-26-2020 03:30 AM
From: Kalpesh Chudasama
Subject: Cannot receive some emails with STARTTLS error

Hello,

We are using latest version of SMG (10.7.3-5). Recently we noticed that we are not able to receive emails from one of the vendor due to use of TLS in mail transactions by them. We noticed that we have not enabled TLS encryption in our SMG and believe that we need to enable it in the HOST Configuration > SMTP > Inbound > Encryption settings. We would like guidance on it as follows,

+ There are 2 options to tick but both are disabled. 1) Accept TLS encryption and 2) Request client certificate. Is it that we need to create a TLS certificate (self-signed in our case) in order to get those options enabled ?
+ Creating TLS certificate and enabling to accept TLS encryption for inbound message in SMG will have any effect to others in receiving emails ?
+ Enabling accept TLS encryption for inbound message in SMG will have any effect for outbound messages by any chance ?
+ Enabling accept TLS encryption for inbound message in SMG is all that is required or do we also need to make changes in our Email servers ?

Please guide.
Thanks in advance.
K

I won't recommend a CA, you have to shop around and weigh all the factors based on your needs and priorities.

If you really don't care about how secure or reliable the CA is, then you "could", just download the CA bundle from a Linux distribution and start walking through the certs in the bundle and buy one from the cheapest vendor, just keep in mind "you get what you pay for".
Original Message:
Sent: 07-28-2020 06:36 AM
From: Kalpesh Chudasama
Subject: Cannot receive some emails with STARTTLS error

Hello Steven,

Thanks for receptive reply.

Can you suggest some CA which would work without much of cost ! Can we use wild card certificates...

Thanks and regards,
K
Original Message:
Sent: 07-27-2020 11:47 AM
From: Steven R
Subject: Cannot receive some emails with STARTTLS error

To enable inbound TLS, you will need to have a certificate that is signed by a reputable certificate authority (not self-signed).

You want to enable "Accept TLS encryption" and select the certificate but do not need to enable "Request client certificate" (this is an optional feature that most environments do not use).

This process should not affect others sending email or have any affect on outbound email.

No changes to the mail servers would be required.

------------------------------
Strategic Support Engineer
Broadcom

Original Message:
Sent: 07-26-2020 03:30 AM
From: Kalpesh Chudasama
Subject: Cannot receive some emails with STARTTLS error

Hello,

We are using latest version of SMG (10.7.3-5). Recently we noticed that we are not able to receive emails from one of the vendor due to use of TLS in mail transactions by them. We noticed that we have not enabled TLS encryption in our SMG and believe that we need to enable it in the HOST Configuration > SMTP > Inbound > Encryption settings. We would like guidance on it as follows,

+ There are 2 options to tick but both are disabled. 1) Accept TLS encryption and 2) Request client certificate. Is it that we need to create a TLS certificate (self-signed in our case) in order to get those options enabled ?
+ Creating TLS certificate and enabling to accept TLS encryption for inbound message in SMG will have any effect to others in receiving emails ?
+ Enabling accept TLS encryption for inbound message in SMG will have any effect for outbound messages by any chance ?
+ Enabling accept TLS encryption for inbound message in SMG is all that is required or do we also need to make changes in our Email servers ?

Please guide.
Thanks in advance.
K

Hello,

Can you please guide whether can we use Wildcard certificate to enable inbound TLS in SMG ?

Thanks and regards,
K
Original Message:
Sent: 07-27-2020 11:47 AM
From: Steven R
Subject: Cannot receive some emails with STARTTLS error

To enable inbound TLS, you will need to have a certificate that is signed by a reputable certificate authority (not self-signed).

You want to enable "Accept TLS encryption" and select the certificate but do not need to enable "Request client certificate" (this is an optional feature that most environments do not use).

This process should not affect others sending email or have any affect on outbound email.

No changes to the mail servers would be required.

------------------------------
Strategic Support Engineer
Broadcom

Original Message:
Sent: 07-26-2020 03:30 AM
From: Kalpesh Chudasama
Subject: Cannot receive some emails with STARTTLS error

Hello,

We are using latest version of SMG (10.7.3-5). Recently we noticed that we are not able to receive emails from one of the vendor due to use of TLS in mail transactions by them. We noticed that we have not enabled TLS encryption in our SMG and believe that we need to enable it in the HOST Configuration > SMTP > Inbound > Encryption settings. We would like guidance on it as follows,

+ There are 2 options to tick but both are disabled. 1) Accept TLS encryption and 2) Request client certificate. Is it that we need to create a TLS certificate (self-signed in our case) in order to get those options enabled ?
+ Creating TLS certificate and enabling to accept TLS encryption for inbound message in SMG will have any effect to others in receiving emails ?
+ Enabling accept TLS encryption for inbound message in SMG will have any effect for outbound messages by any chance ?
+ Enabling accept TLS encryption for inbound message in SMG is all that is required or do we also need to make changes in our Email servers ?

Please guide.
Thanks in advance.
K

You can do that, but you have to take into account whether or not the connecting MTA will recognize/honor them.

Original Message:
Sent: 08-05-2020 07:57 AM
From: Kalpesh Chudasama
Subject: Cannot receive some emails with STARTTLS error

Hello,

Can you please guide whether can we use Wildcard certificate to enable inbound TLS in SMG ?

Thanks and regards,
K
Original Message:
Sent: 07-27-2020 11:47 AM
From: Steven R
Subject: Cannot receive some emails with STARTTLS error

To enable inbound TLS, you will need to have a certificate that is signed by a reputable certificate authority (not self-signed).

You want to enable "Accept TLS encryption" and select the certificate but do not need to enable "Request client certificate" (this is an optional feature that most environments do not use).

This process should not affect others sending email or have any affect on outbound email.

No changes to the mail servers would be required.

------------------------------
Strategic Support Engineer
Broadcom

Original Message:
Sent: 07-26-2020 03:30 AM
From: Kalpesh Chudasama
Subject: Cannot receive some emails with STARTTLS error

Hello,

We are using latest version of SMG (10.7.3-5). Recently we noticed that we are not able to receive emails from one of the vendor due to use of TLS in mail transactions by them. We noticed that we have not enabled TLS encryption in our SMG and believe that we need to enable it in the HOST Configuration > SMTP > Inbound > Encryption settings. We would like guidance on it as follows,

+ There are 2 options to tick but both are disabled. 1) Accept TLS encryption and 2) Request client certificate. Is it that we need to create a TLS certificate (self-signed in our case) in order to get those options enabled ?
+ Creating TLS certificate and enabling to accept TLS encryption for inbound message in SMG will have any effect to others in receiving emails ?
+ Enabling accept TLS encryption for inbound message in SMG will have any effect for outbound messages by any chance ?
+ Enabling accept TLS encryption for inbound message in SMG is all that is required or do we also need to make changes in our Email servers ?

Please guide.
Thanks in advance.
K

To follow up, beyond the issue of the cert being recognized, and probably more important, is that there are security risks with using wildcard certs that you should be aware of.  There is a pretty good article giving an overview of the risks/benefits of using wildcard certs at https://www.packetlabs.net/wildcard-certificates/
(not an endorsement of packetlabs, but the content seems appropriate for your question)

Original Message:
Sent: 08-05-2020 12:17 PM
From: Thomas Anderson
Subject: Cannot receive some emails with STARTTLS error

You can do that, but you have to take into account whether or not the connecting MTA will recognize/honor them.

Original Message:
Sent: 08-05-2020 07:57 AM
From: Kalpesh Chudasama
Subject: Cannot receive some emails with STARTTLS error

Hello,

Can you please guide whether can we use Wildcard certificate to enable inbound TLS in SMG ?

Thanks and regards,
K
Original Message:
Sent: 07-27-2020 11:47 AM
From: Steven R
Subject: Cannot receive some emails with STARTTLS error

To enable inbound TLS, you will need to have a certificate that is signed by a reputable certificate authority (not self-signed).

You want to enable "Accept TLS encryption" and select the certificate but do not need to enable "Request client certificate" (this is an optional feature that most environments do not use).

This process should not affect others sending email or have any affect on outbound email.

No changes to the mail servers would be required.

------------------------------
Strategic Support Engineer
Broadcom

Original Message:
Sent: 07-26-2020 03:30 AM
From: Kalpesh Chudasama
Subject: Cannot receive some emails with STARTTLS error

Hello,

We are using latest version of SMG (10.7.3-5). Recently we noticed that we are not able to receive emails from one of the vendor due to use of TLS in mail transactions by them. We noticed that we have not enabled TLS encryption in our SMG and believe that we need to enable it in the HOST Configuration > SMTP > Inbound > Encryption settings. We would like guidance on it as follows,

+ There are 2 options to tick but both are disabled. 1) Accept TLS encryption and 2) Request client certificate. Is it that we need to create a TLS certificate (self-signed in our case) in order to get those options enabled ?
+ Creating TLS certificate and enabling to accept TLS encryption for inbound message in SMG will have any effect to others in receiving emails ?
+ Enabling accept TLS encryption for inbound message in SMG will have any effect for outbound messages by any chance ?
+ Enabling accept TLS encryption for inbound message in SMG is all that is required or do we also need to make changes in our Email servers ?

Please guide.
Thanks in advance.
K

Yes, you can use a wildcard cert, but you will need both the cert and the private key, and they will need to be in the proper format, in order to import them into the Messaging Gateway.

More information is available in the following article:
Install Certificate Authority signed certificates without a generated Certificate Signing Request

------------------------------
---------------------------------------------
Strategic Support Engineer
* Integrated Cyber Defense Exchange
* Messaging
Symantec Enterprise Division
Broadcom Inc.
------------------------------

Original Message:
Sent: 08-05-2020 07:57 AM
From: Kalpesh Chudasama
Subject: Cannot receive some emails with STARTTLS error

Hello,

Can you please guide whether can we use Wildcard certificate to enable inbound TLS in SMG ?

Thanks and regards,
K
Original Message:
Sent: 07-27-2020 11:47 AM
From: Steven R
Subject: Cannot receive some emails with STARTTLS error

To enable inbound TLS, you will need to have a certificate that is signed by a reputable certificate authority (not self-signed).

You want to enable "Accept TLS encryption" and select the certificate but do not need to enable "Request client certificate" (this is an optional feature that most environments do not use).

This process should not affect others sending email or have any affect on outbound email.

No changes to the mail servers would be required.

------------------------------
Strategic Support Engineer
Broadcom

Original Message:
Sent: 07-26-2020 03:30 AM
From: Kalpesh Chudasama
Subject: Cannot receive some emails with STARTTLS error

Hello,

We are using latest version of SMG (10.7.3-5). Recently we noticed that we are not able to receive emails from one of the vendor due to use of TLS in mail transactions by them. We noticed that we have not enabled TLS encryption in our SMG and believe that we need to enable it in the HOST Configuration > SMTP > Inbound > Encryption settings. We would like guidance on it as follows,

+ There are 2 options to tick but both are disabled. 1) Accept TLS encryption and 2) Request client certificate. Is it that we need to create a TLS certificate (self-signed in our case) in order to get those options enabled ?
+ Creating TLS certificate and enabling to accept TLS encryption for inbound message in SMG will have any effect to others in receiving emails ?
+ Enabling accept TLS encryption for inbound message in SMG will have any effect for outbound messages by any chance ?
+ Enabling accept TLS encryption for inbound message in SMG is all that is required or do we also need to make changes in our Email servers ?

Please guide.
Thanks in advance.
K

Yes, you can use a wildcard certificate in the Messaging Gateway. You will need both the certificate and the private key and they will need to be in the proper format before they can be imported into the Messaging Gateway. The following article provides the necessary details:

Install Certificate Authority signed certificates without a generated Certificate Signing Request


------------------------------
---------------------------------------------
Strategic Support Engineer
* Integrated Cyber Defense Exchange
* Messaging
Symantec Enterprise Division
Broadcom Inc.
------------------------------

Original Message:
Sent: 08-05-2020 07:57 AM
From: Kalpesh Chudasama
Subject: Cannot receive some emails with STARTTLS error

Hello,

Can you please guide whether can we use Wildcard certificate to enable inbound TLS in SMG ?

Thanks and regards,
K
Original Message:
Sent: 07-27-2020 11:47 AM
From: Steven R
Subject: Cannot receive some emails with STARTTLS error

To enable inbound TLS, you will need to have a certificate that is signed by a reputable certificate authority (not self-signed).

You want to enable "Accept TLS encryption" and select the certificate but do not need to enable "Request client certificate" (this is an optional feature that most environments do not use).

This process should not affect others sending email or have any affect on outbound email.

No changes to the mail servers would be required.

------------------------------
Strategic Support Engineer
Broadcom

Original Message:
Sent: 07-26-2020 03:30 AM
From: Kalpesh Chudasama
Subject: Cannot receive some emails with STARTTLS error

Hello,

We are using latest version of SMG (10.7.3-5). Recently we noticed that we are not able to receive emails from one of the vendor due to use of TLS in mail transactions by them. We noticed that we have not enabled TLS encryption in our SMG and believe that we need to enable it in the HOST Configuration > SMTP > Inbound > Encryption settings. We would like guidance on it as follows,

+ There are 2 options to tick but both are disabled. 1) Accept TLS encryption and 2) Request client certificate. Is it that we need to create a TLS certificate (self-signed in our case) in order to get those options enabled ?
+ Creating TLS certificate and enabling to accept TLS encryption for inbound message in SMG will have any effect to others in receiving emails ?
+ Enabling accept TLS encryption for inbound message in SMG will have any effect for outbound messages by any chance ?
+ Enabling accept TLS encryption for inbound message in SMG is all that is required or do we also need to make changes in our Email servers ?

Please guide.
Thanks in advance.
K