MEG 7.x allows very flexible setting for delivering email over TLS. For example, you can configure your MEG to deliver email over TLS when compliancy scan detects some sensitive information. You can also configure your MEG for when to use TLS and when not to use TLS based on sender (client) domain/subnet and/or next hop (server) domain/subnet.
However, such flexibility also allows you to configure your MEG appliance in a way that TLS delivery settings look conflict. For example, you may wonder how MEG resolves below scenarios:
Here is how MEG handles configuration.
1. Encryption policy setting has higher precedence than TLS connections when sending email settings.
In MEG 7.0 and MEG 7.5, If the condition under Email > Email Policies > SMTP > Encryption > When to Encrypt meets, MEG will try to deliver using On-box Encryption Options. If you choose Only when triggered from a scanner action, MEG applies this setting to email messages which hits a scanner action "Deliver message using encryption" in the policy group. If you choose Always, MEG always applies this setting to the email messages that hits the same policy group.
Fig 1. Screenshot of MEG 7.5 Encryption policy
In MEG 7.6, you have policy based action setting in which you can configure MEG appliance to always deliver message using encryption.
Fig 2. MEG 7.6 policy based action setting
Fig 3. Screenshot of MEG 7.6 Encryption policy
In On-box Encryption Options under the encryption policy setting, if you deselect S/MIME, PGP, and Secure Web Mail, MEG will use TLS for delivery when policy conditions met. This setting has higher precedence than the TLS connections when sending email (gateway is acting as a client) under Email > Encryption > TLS. Therefore, if scanner action results in encryption action that is configured to deliver using TLS, MEG ignores the entries in TLS connections when sending email settings, and forces to use TLS.
2. TLS never setting has higher precedence in TLS connections when sending email (gateway is acting as a client).
Under Email > Encryption > TLS, you can configure TLS connections when sending email (gateway is acting as a client) per server domain / subnet basis and choose when to use TLS. Available options for when to use TLS are always, never, and when available.
For example, you have the following settings under TLS connections when sending email:
- For 10.10.10.0/24, always use TLS
- For 10.10.10.100, never use TLS
And if delivery lookup falls into 10.10.10.100, MEG will not use TLS.