MEG 7.x allows very flexible setting for delivering email over TLS. For example, you can configure your MEG to deliver email over TLS when compliancy scan detects some sensitive information. You can also configure your MEG for when to use TLS and when not to use TLS based on sender (client) domain/subnet and/or next hop (server) domain/subnet.


However, such flexibility also allows you to configure your MEG appliance in a way that TLS delivery settings look conflict. For example, you may wonder how MEG resolves below scenarios:

 

  • What if scanner action results in encryption action that is configured to deliver using TLS, but TLS connections when sending email (gateway is acting as a client) is configured to never use TLS?
  • What if TLS connections when sending email (gateway is acting as a client) has two entries where one entry is never to use TLS for one IP address but another one is always to use TLS for a subnet?


Here is how MEG handles configuration.


1. Encryption policy setting has higher precedence than TLS connections when sending email settings.


In MEG 7.0 and MEG 7.5, If the condition under Email > Email Policies > SMTP > Encryption > When to Encrypt meets, MEG will try to deliver using On-box Encryption Options. If you choose Only when triggered from a scanner action, MEG applies this setting to email messages which hits a scanner action "Deliver message using encryption" in the policy group. If you choose Always, MEG always applies this setting to the email messages that hits the same policy group.

meg75_encryption_policy.png

Fig 1. Screenshot of MEG 7.5 Encryption policy


In MEG 7.6, you have policy based action setting in which you can configure MEG appliance to always deliver message using encryption.

meg76_policy_based_action.png

Fig 2. MEG 7.6 policy based action setting

 

meg76_encryption_policy.png

Fig 3. Screenshot of MEG 7.6 Encryption policy


In On-box Encryption Options under the encryption policy setting, if you deselect S/MIME, PGP, and Secure Web Mail, MEG will use TLS for delivery when policy conditions met. This setting has higher precedence than the TLS connections when sending email (gateway is acting as a client) under Email > Encryption > TLS. Therefore, if scanner action results in encryption action that is configured to deliver using TLS, MEG ignores the entries in TLS connections when sending email settings, and forces to use TLS.


2. TLS never setting has higher precedence in TLS connections when sending email (gateway is acting as a client).


Under Email > Encryption > TLS, you can configure TLS connections when sending email (gateway is acting as a client) per server domain / subnet basis and choose when to use TLS. Available options for when to use TLS are always, never, and when available.


For example, you have the following settings under TLS connections when sending email:
- For 10.10.10.0/24, always use TLS
- For 10.10.10.100, never use TLS
And if delivery lookup falls into 10.10.10.100, MEG will not use TLS.