TLS will work with the self-signed certificate that comes pre-installed on your ESA. You may also import a new certificate and configure TLS to use the specific certificate.
Documentation below will describe how to enforce TLS as "Preferred" or "Required" using the Destination Controls feature (GUI>Mail Policies>Destination Controls).
You can configure the TLS (Transport Layer Security) on a per-domain basis. If the “Required” setting is specified, a TLS connection will be negotiated from the appliance listener to MTA(s) for the domain. If the negotiation fails, no email will be sent through the connection.
Example:
Changing the Destination Controls "Default" TLS setting to TLS "Preferred" means that the ESA will attempt delivery and if TLS fails the message will attempt to be sent in "plain text" Once you make the change, don't forget to submit and commit changes.
What if TLS Fails?
You can specify whether the appliance sends an alert if the TLS negotiation fails when delivering messages to a domain that requires a TLS connection. The alert message contains name of the destination domain for the failed TLS negotiation. The appliance sends the alert message to all recipients set to receive Warning severity level alerts for System alert types. You can manage alert recipients via the System Administration > Alerts page in the GUI (or via the alertconfig command in the CLI).
To enable TLS connection alerts, click Edit Global Settings on the Destination Controls page or destconfig -> setup subcommand. This is a global setting, not a per-domain setting. For information on the messages that the appliance attempted to deliver, use the Monitor > Message Tracking page or the mail logs.
You must specify a certificate to use for all outgoing TLS connections. Use the Edit Global Settings on the Destination Controls page or destconfig -> setup subcommand to specify the certificate
