How to configure TLS in the MEG 7.x Appliance

 

Environment

McAfee Email Gateway 7.x

 

Summary

McAfee Email Gateway (MEG) 7 encryption options include TLS, S/MIME, PGP, and Secure Mail Delivery. The Appliance can be set up to detect when sensitive data is present in a message and then require encrypted delivery of that information, if it should be allowed to leave the organization.

 

TLS (Transport Layer Security) is a standard form of encryption also commonly known as SSL (Secure Sockets Layer) 3.0. This is the protocol used to encrypt HTTPS sessions. This protocol is a transport layer encryption method, meaning that the message itself is not encrypted, only the data packets in flight between the sender and the recipient are encrypted.

 

Solution 1

Configuring TLS on the MEG 7.x Appliance via the Appliance Dashboard:

 

    Load encryption keys into the Appliance (see Related Information for instructions). 

    Configure the Appliance to perform TLS.

 

In MEG 7.x, it is possible to configure the Appliance to perform TLS encryption either as a result of the source or destination server, or as a result of policy. By default, the Appliance will offer the STARTTLS verb to any connecting host that says EHLO, and will use the STARTTLS verb whenever available when connecting to a remote host.

 

To set up TLS Encryption based on source or destination:

 

For a Source address (inbound mail):

 

    Open the Appliance Dashboard.

    Select Email, Encryption, TLS.

    Under When receiving email (gateway is acting as a server), click Add Domain.

    Enter the hostname (for example host.domain.com) or network address (for example 172.27.1.1/32) of any server to which you want to offer or disallow TLS.

 

    NOTE: In MEG 7, it is necessary to identify the hostname or IP address of the connecting server. Entering a Hostname is useful only if Email, Email Configuration, Lookup Reverse DNS is selected.

    If a domain name is to be used, it should be entered as a wildcard host entry (*.domain.com) because any other result will not function. If the reverse DNS entry for the connecting IP does not return the domain in question, it will not take effect.

    For example, when configuring to require TLS for gmail.com, either identify the source IP address for the sending server in question or identify *.1e100.net as the sending server, not *.gmail.com.

 

    Under Use TLS, select the appropriate option:

        Never - The Appliance will never offer the STARTTLS verb to the connecting server.

        When Available - The Appliance will offer the STARTTLS verb, and will accept it if the connecting server sends it.

        Always - The Appliance will offer the STARTTLS verb, and will not communicate with the sending server unless a TLS session is established.

        NOTE: Advanced TLS settings are listed in the Related Information section. However, McAfee recommends that you do not change or modify these settings.

 

    Select whether to authenticate the client. Select this option to require the sending server to also provide a certificate to prove their identity.

    Select the certificate to use for the domain in question.

    Move the entry up or down in the list, as necessary.

    NOTE: The default entry for the wildcard (*) domain to use TLS when available must be the final entry in the list. If it is not, this rule will match any domain and will make all rules below it irrelevant.

    Click OK and Apply changes as required.

 

 

For a Destination Address (outbound mail):

 

    Open the Appliance Dashboard.

    Select Email, Encryption, TLS.

    Under When sending email (gateway is acting as a client), click Add Domain.

    Enter the hostname (for example host.domain.com) or network address (for example 172.27.1.1/32) of any server for which you want to request TLS when connecting.

    NOTE: The same requirements are present for sending mail as are explained under Source Address (step 4) above.

 

    Under Use TLS, select the appropriate option:

        Never - The Appliance will never offer the STARTTLS verb to the connecting server.

        When Available - The Appliance will offer the STARTTLS verb, and will accept it if the connecting server sends it.

        Always - The Appliance will offer the STARTTLS verb, and will not communicate with the sending server unless a TLS session is established.

        NOTE: Advanced TLS settings are listed in the Related information section. However, McAfee recommends that you do not change or modify these settings.

 

    Select whether the Appliance should authenticate itself if requested.

    If  When requested was selected, select the certificate the Appliance should use to authenticate itself under Client Certificate.

    Select whether the sending server's certificate must match the hostname to which the Appliance is connected:

        Never - The Appliance does not care if the certificate does not match the hostname.

        Always - The Appliance will drop the connection if the certificate does not match. 

    Move the entry up or down in the list, as necessary.

    NOTE: The wildcard (*) entry must be the final entry in the list.

 

    Click OK and Apply changes as required.

 

Solution 2

Configuring TLS on the MEG 7.x Appliance via an ePO server:

 

NOTE:

 

    Perform these steps before setting the Appliance to accept configuration from the ePO server.

    The following instructions are specific to ePO 4.5, but are similar for all versions of ePO:

 

    Load the encryption keys into each ePO managed Appliance: 

        Open the Appliance Dashboard.

        Select System, Appliance Management, Email Gateway Certificate and populate the fields with the appropriate data. 

        Click Apply changes.

        Once the changes have been applied, click the link displayed to Generate Certificate Signing Request.

        Provide the CSR to your CA of choice.

        Once the CA provides the signed certificate, select System, Appliance Management, Email Gateway Certificate and click Import.

        Click Browse and select the certificate file.

        Enter the passphrase if required.

        NOTE: This is usually not required unless the CSR was generated outside the Appliance.

 

        Click OK.

 

        Once the Appliance Dashboard is displayed:

            Log in to the Dashboard.

            Select Email, Certificate Management, Certificates, TLS Certificates and Keys.

            Verify that the cert data on the Default Email Gateway Certificate matches that loaded into the Dashboard and that the icon next to the certificate is green with no yellow triangle present.

            If the triangle is present, load the appropriate CA certificates under the CA Certificates link on this page.

            Click OK and Apply changes as required.

 

    Configure the Appliance to perform TLS (perform these steps in ePO).

        Open the ePO manager.

        Select Menu, Policy, Policy Catalog.

        For Product, select McAfee Email Gateway 7.0.

        Under Category, select 07 - Encryption.

        On your policy for the Appliance, click Edit Settings. This displays the MEG 7 Dashboard.

        Click the TLS tab.

        For each specific domain, set the appropriate settings and select the Default Email Gateway certificate to be used.

        Appropriate settings will vary from domain to domain however it is usually appropriate to have:

            One entry where the domain is "*"

            Use TLS set to When Available.

            Authenticate Client (for receiving) is set to No

            or

            Authenticate self (for sending) is set to When Requested .

 

        Click Save.

 

    On each managed Appliance:

        Select System, Component Management, ePO.

        Select Allow configuration to be applied from ePO.

        Click OK and Apply Changes as required.

 

Your Appliance will now be managed by the ePO server for purpose of applying policy, but the TLS certificate for each Appliance will be individual and CA-signed.

Related Information

Advanced TLS Settings - Cipher Strength:

 

    Allow only strong ciphers (128-bit or greater)

    This option allows only ciphers with a key length of at least 128 bits to be used for encryption

    Allow all cipher strengths

    This option allows ciphers of any strength to be accepted.

    Allow no encryption (not recommended)

    This option is available only if Allow All Cipher Strengths is selected.

    NOTE: McAfee recommends not selecting this option because it will allow ciphers that do not encrypt the traffic, thus defeating the purpose of TLS.

    Allow anonymous key exchange

    This option allows the use of ciphers that do not provide authentication features.

    NOTE: McAfee recommends not selecting this option because it does not allow verification of the identity of the remote server.

 

Creation of Encryption Keys:

Unlike earlier versions of the EWS software, MEG 7.x includes a self-signed certificate. This self-signed certificate can be used to initially perform TLS with remote hosts. However, many remote hosts will not accept the built-in, self-signed certificate because the certificate is not signed by a publicly known Certificate Authority. Therefore, McAfee recommends that, when configuring the Appliance to use TLS for email security, administrators obtain a CA-signed certificate at least for the receiving side.

 

It is possible to generate a CSR; however, that CSR will have a key length of 2048 bits. It is not possible to specify any other key length in the MEG 7 software. If a different key length is necessary, the key must be manually generated. Also, it is not possible to load the resulting certificate into the SMTP TLS certificates listing in the UI. In order to use it, first load the certificate back into the location of the UI where the CSR was generated, then re-export the certificate and private key. These steps are necessary because the UI does not provide the private key when generating a CSR, and the private key is required to load a certificate into the SMTP TLS Certificates portion of the UI.

 

For more information see:

 

    KB60557 - How to generate a certificate signing request (CSR) for third-party certificate authorities to be used with the EWS or MEG Appliance

    KB74880 - How to import a TLS certificate into an EWS or MEG 7 Appliance

 

NOTE:

 

    When using TLS as a receiver, ensure your certificate matches the hostname on your MX record. This can be done by creating a certificate for each appliance, or can be done through the creation of a wildcard certificate. Wildcard certificates are certificates with a hostname of "*.domain.com", and can be applied to any device within domain.com.

 

    Configuring encryption based upon policy is common to all encryption types, and is covered in KB76398.