TLS required only from one domain

Unanswered Question
Oct 30th, 2009

Hi,

this is the case:

I have multiple domains configured to ironport and now only one of these domains needs to use TLS when sending email:
mails from test.dom to example.dom is needed to use TLS but mails from other domains e.g. test1.dom should send mails to example.dom without TLS.

Has anybody configured something like this?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Andrew Wurster Fri, 10/30/2009 - 21:25

thanks for the question.

1) find out what IP or host addresses the remote domain uses to source their mail deliveries
2) create a new sender group in your HAT to hold these addresses
3) assign this new sender group a new mail flow policy that has TLS set to 'required' or 'preferred' depending on your needs

best of luck

thanks!

andrew

jannestill Sat, 10/31/2009 - 10:15

thanks for the question.

1) find out what IP or host addresses the remote domain uses to source their mail deliveries
2) create a new sender group in your HAT to hold these addresses
3) assign this new sender group a new mail flow policy that has TLS set to 'required' or 'preferred' depending on your needs

best of luck

thanks!

andrew


Thank you. I'm beginner with these appliances so everything is new to me :)
I got more information from our customer how they want it to work:

test.dom should have TLS required only to one address (example.com) and to all other addresses TLS preferred and at the same time test1.dom and all our other domains should send mail to example.com without TLS or TLS preferred.

Is this possible? If I understood correctly I can set mails sent to example.com required to use TLS but than this setting applies to all my sending domains. Is there a way to set "require TLS" from one domain to one domain only? (my colleague said something about configuring virtual gateways?)
Andrew Wurster Mon, 11/02/2009 - 15:32

i believe we are not understanding each other correctly.

your destination controls table (mail policies > destination controls) work for outbound deliveries and host access table / mail flow policies (mail policies > HAT overview) work with inbound injections separately.

each one has a table with more specific entries at the top, and less specific or default characteristics applied at the bottom. things are always evaluated in a top-down manner, so if there is one destination that should use TLS, then add a specific entry in each table for that domain and set the TLS options accordingly. these are typically used for ALL of your internal (locally-administered) domains.

yes, you can use virtual gateways to separate out internal domains for higher levels of delivery control. this involves using the 'altsrchost' command and multiple IP interfaces. read about that feature here:
http://tinyurl.com/23vuj5

and refer to the AsyncOS advanced user guide section "Using Virtual Gateway™ Technology" to understand it's flow and configuration.

take care,

andrew

jannestill Tue, 11/03/2009 - 06:33

i believe we are not understanding each other correctly.

your destination controls table (mail policies > destination controls) work for outbound deliveries and host access table / mail flow policies (mail policies > HAT overview) work with inbound injections separately.

each one has a table with more specific entries at the top, and less specific or default characteristics applied at the bottom. things are always evaluated in a top-down manner, so if there is one destination that should use TLS, then add a specific entry in each table for that domain and set the TLS options accordingly. these are typically used for ALL of your internal (locally-administered) domains.

yes, you can use virtual gateways to separate out internal domains for higher levels of delivery control. this involves using the 'altsrchost' command and multiple IP interfaces. read about that feature here:
http://tinyurl.com/23vuj5

and refer to the AsyncOS advanced user guide section "Using Virtual Gateway™ Technology" to understand it's flow and configuration.

take care,

andrew


Hi,
thank you for your answer. I Contacted customer support and they said:
you only can set destination controls on a global basis, not sender based, but there is an existing feature request on this.

Actions

This Discussion