Data Loss Prevention

Hello,

We use tls for our email communication. We have enabled tls on Symantec NP for Email servers. We have configured NP for Email for forwarding mode.
I know that we have to generate self-signed certificates using keytool on Symantec, Export it and import that certificate on downstream MTA. And import the upstream MTAs certificate to NP for Email Servers.
What if we do not want to use a self-signed certificate and want to use a CA.
What is the procedure then? 

CA certificates cannot be used for Symantec DLP servers communication, as it doesn't have a full Certificate management system (cannot manage expired certs, etc.). However, from DLP servers to outside servers communications (LDAP, SMTP, AD, etc.), it should be fine to use any other certificates; make sure you understand what is a Truststore and a keystore, that you have to replace certificates when they expire, etc. All servers, MTAs and NP for mail should have everybody's certificates in order to pass/transfer emails through them.

Good luck, and for questions related to certificates (create, import, export, etc.), your CA certificate team should know better how to handle them.
A.C.
Original Message:
Sent: 02-22-2021 07:17 AM
From: Zain Barlas
Subject: Network Prevent for Email TLS encryption

Hello,

We use tls for our email communication. We have enabled tls on Symantec NP for Email servers. We have configured NP for Email for forwarding mode.
I know that we have to generate self-signed certificates using keytool on Symantec, Export it and import that certificate on downstream MTA. And import the upstream MTAs certificate to NP for Email Servers.
What if we do not want to use a self-signed certificate and want to use a CA.
What is the procedure then?

Hello Zain,

for outbound emails, you need to import the certificate in the certificate store of the NP-for-Email Server to communicate with the outsite world.
There might be already public certs in the keystore which can be used to communicate with the outside would but some companies accept only their own one.
For example:     inside company (  Symantec DLP NPForEmail server ---> ..  maybe Exchange ..  ) -----------outbound email ----------> (MIMECAST or other Email provider.... proofpoint is quite good in email and dlp ) .....  now the company ( lets say mimcast ) provides you with a cert and you just import this into your NPForEmail keystore

That being said.. one problem: .. some companies are using intermediate cert as well, then you have to import both the rootCA and the intermediate one. 
I have seen problems caused by mimecast where the cert requirement were changed and then the outbound email flow was stopped, then you have to be quick to impor the new mimecast ( or other vendor) cert .

to make it short: No you do NOT need necessary a selfsigned cert for outbound email communication. If a Vendor has its own one, then you have to ask them to provide it to you and you import it in DLP. We made this several times and it always has worked.

Best Regards and good luck with the implementation
Thomas Eisbein
Original Message:
Sent: 02-22-2021 07:17 AM
From: Zain Barlas
Subject: Network Prevent for Email TLS encryption

Hello,

We use tls for our email communication. We have enabled tls on Symantec NP for Email servers. We have configured NP for Email for forwarding mode.
I know that we have to generate self-signed certificates using keytool on Symantec, Export it and import that certificate on downstream MTA. And import the upstream MTAs certificate to NP for Email Servers.
What if we do not want to use a self-signed certificate and want to use a CA.
What is the procedure then?

Hi Zain.

The first post to your thread is less than accurate:
DLP DOES ave the ability to use CA certs in TLS for Email Prevent.

The main problem with what you've described is this:

I know that we have to generate self-signed certificates using keytool on Symantec, Export it and import that certificate on downstream MTA. And import the upstream MTAs certificate to NP for Email Servers.

It's just the opposite actually:

1. You must import the Cert (Public key) from every downstream MTA into the Email Prevent keystore.
2. If required, you would export the Cert (Public Key) from Email Prevent and import that to your upstream MTA - however, in our experience, almost no MTA requires TLS to be authenticated against an stored certificate.

So, the process if you want to import a Cert into Email Prevent is outlined in the MTA Integration Guide, starting on p. 26:

Symantec™ Data Loss Prevention MTA Integration Guide for Network Prevent for Email (broadcom.com)

If you have further questions or need assistance, I think you should open a case with Technical support.

Warm regards,
Stephen

------------------------------
Global Support Lead, DLP
Broadcom, Symantec Enterprise Division
------------------------------

Original Message:
Sent: 02-22-2021 07:17 AM
From: Zain Barlas
Subject: Network Prevent for Email TLS encryption

Hello,

We use tls for our email communication. We have enabled tls on Symantec NP for Email servers. We have configured NP for Email for forwarding mode.
I know that we have to generate self-signed certificates using keytool on Symantec, Export it and import that certificate on downstream MTA. And import the upstream MTAs certificate to NP for Email Servers.
What if we do not want to use a self-signed certificate and want to use a CA.
What is the procedure then?