Hi Zain.
The first post to your thread is less than accurate:
DLP DOES ave the ability to use CA certs in TLS for Email Prevent.
The main problem with what you've described is this:
I know that we have to generate self-signed certificates using keytool on Symantec, Export it and import that certificate on downstream MTA. And import the upstream MTAs certificate to NP for Email Servers.
It's just the opposite actually:
- You must import the Cert (Public key) from every downstream MTA into the Email Prevent keystore.
- If required, you would export the Cert (Public Key) from Email Prevent and import that to your upstream MTA - however, in our experience, almost no MTA requires TLS to be authenticated against an stored certificate.
So, the process if you want to import a Cert into Email Prevent is outlined in the MTA Integration Guide, starting on p. 26:
Symantec™ Data Loss Prevention MTA Integration Guide for Network Prevent for Email (broadcom.com)
If you have further questions or need assistance, I think you should open a case with Technical support.
Warm regards,
Stephen
------------------------------
Global Support Lead, DLP
Broadcom, Symantec Enterprise Division
------------------------------
Original Message:
Sent: 02-22-2021 07:17 AM
From: Zain Barlas
Subject: Network Prevent for Email TLS encryption
Hello,
We use tls for our email communication. We have enabled tls on Symantec NP for Email servers. We have configured NP for Email for forwarding mode.
I know that we have to generate self-signed certificates using keytool on Symantec, Export it and import that certificate on downstream MTA. And import the upstream MTAs certificate to NP for Email Servers.
What if we do not want to use a self-signed certificate and want to use a CA.
What is the procedure then?