Transport Layer Security

Related topics:

Configuring TLS for a connection or route

Configuring TLS on your connections

Configuring third-party TLS connections

Testing an outbound connection

When TLS fails

TLS provides a transport layer encrypted "tunnel" between email servers or mail transfer agents (MTAs).

By default, Forcepoint Email Security Cloud always attempts to deliver or receive email using opportunistic TLS if the sending or receiving MTA supports it. With opportunistic TLS, if a connection attempt is made using the TLS protocol, the connection recipient must provide appropriate TLS credentials for an encrypted data transfer. If the TLS "handshake" fails, the data transfer is made via plain text, rather than encrypted text. In either case, the data transfer is successfully accomplished.

Alternatively, you can enforce TLS connections. There are 2 stages to configuring mandatory TLS:

Add security settings to the connections between your mail transfer agent (MTA) and the Forcepoint Email Security Cloud relays. See Configuring TLS on your connections.

Add routes to the third-party MTAs with whom you want to communicate using TLS and add security settings to these.

When the conditions within the TLS policy are not met, Forcepoint Email Security Cloud does not deliver the email.

See this article for a full list of trusted certificate authorities supported by Forcepoint Email Security Cloud.


	Note Forcepoint Email Security Cloud can enforce TLS only on the immediate next SMTP hop. Situations may exist where Forcepoint Email Security Cloud does not deliver directly to recipients (e.g., they may be using a service similar to Forcepoint Email Security Cloud). In such situations, it is your responsibility to ensure that all intermediate SMTP hops support TLS. If this is outside of your control, we recommend you use the Forcepoint Email Security Cloud standard or advanced encryption functionality to provide secure delivery.