Configuring third-party TLS connections

Related topics:

Configuring TLS for a connection or route

Configuring TLS on your connections

Testing an outbound connection

When TLS fails

You must add the connections to and from the businesses with whom you wish to communicate using TLS. To do so:

Select the Encryption tab.

Click Add in the Secure Transport section.

In the Domain/Server field, enter the IP address or fully qualified domain name of the business with whom you are establishing connection. For outbound connections, enter the recipient's domain. For inbound connections, enter a server name or IP address. Do not specify a server that is part of your MX records.

Click Check SMTP Connectivity to confirm that you can connect to the domain name or IP address.

Select a direction for the connection: Inbound or Outbound.

Select a security level:


Security Level	Description
Unenforced	Forcepoint Email Security Cloud does not attempt to use TLS for this connection.
Encrypt	Delivery of a message fails (inbound or outbound) if the MTA with which it is communicating cannot use TLS to force an encrypted connection at the encryption strength configured for this connection or route. No certificate is required.
Encrypt + CN	As Encrypt but a certificate must also be presented on which the common name matches the MTA with which Forcepoint Email Security Cloud is communicating.
Verify	As Encrypt but the certificate must be from a trusted certificate authority (CA).
Verify + CN	As Encrypt + CN but the certificate presented must be from a trusted CA.

We recommend that you use Verify + CN, but you may opt to use Encrypt + CN if you want to use a self-signed certificate rather than paying for use of one from a CA. This may be acceptable for the connections between your MTA and Forcepoint Email Security Cloud.

Select a encryption strength:


Encryption Strength	Description
128	An encryption algorithm that supports a 128 bit key must be negotiated between Forcepoint Email Security Cloud and the MTA with which it is communicating.
256	An encryption algorithm that supports a 256 bit key must be negotiated between Forcepoint Email Security Cloud and the MTA with which it is communicating.


	Note You must ensure that the MTA supports the policy configured for its connections (certificate and encryption strength) and it must support an algorithm also supported by Forcepoint Email Security Cloud.

To enable the connection for TLS immediately, check Enabled.

Click Save

For outbound connections, we recommend that you check the TLS status of the server before enabling it. If you route mail to domains that do not support TLS, it will result in the non-delivery of your messages. For more information, see Testing an outbound connection.

The companies with whom you want to communicate using TLS must ensure that their MTAs support one of the encryption algorithms supported by Forcepoint Email Security Cloud and the encryption strength that you configure in the policy. They must also be able to present a certificate appropriate to the policy that you configure.


	Note The third-party MTA must support the required configuration on the inbound and outbound connections or email delivery fails.