- Has anyone had success configuring a MEG (preferably <7.6, ideally at 7.0.3 or 7.0.4) to do TLS to a specific domain that's a postini customer without breaking mail sending to other postini customers?
- Also, what if any TLS pitfalls have you encountered breaking outbound mail flow by moving from a Never to a "When availalable" setting for * under Email> Encryption> TLS> When Sending Mail (gateway acting as a client)
Details that might inspire "TL:DR" but some might be interested in :
The only way I've succeeded in sending TLS to such a domain is to specify an encryption policy at the top of the Email> Encryption> TLS> When Sending Mail (gateway acting as a client) list to force TLS to
- *thedomain.com (as one might expect)
- as well as *.psmtp.com (as one would not expect, ... cue dissonant horns and 3 men in red vestments).
The downside that makes it unworkable:
- suddenly you're forcing TLS to domains that are postini customers, who might not even be set up to deal with TLS
Things that have been tried that didn't work:
- just the domain
- adding the specific quartet of postini email servers that make up the target domain's MX records doesn't work. Only *.psmtp.com seems to for some reason.
- adding thedomain.com.*.pstmp.com (an internal wildcard there)
- only *domain.com and *.psmtp.com together at the top of the sending mail tls policy will deliver with TLS. Everything else goes plain ole smtp.
Unfortunately, I can't leave that *.psmtp.com in there as I'm strongly cautioned by an experienced mail adminstrator who's a postini customer that forcing TLS to *.psmtp.com would be a Very Bad Idea(TM) as apparently postini customers who haven't specifically configured themselves for TLS... either the mail gets accepted and then not delivered, or it bounces? As I'm not a postini customer, I'm ignorant of the exact specifics, but I'd welcome any other experience on this front. But apparently you need to pay postini extra for TLS goodies, and you need to ensure you plumb a TLS connection from your premises mail gateway to postini if you're a customer who wants to do TLS with postini. And it's a fair assumption that not all are.
Apparently other commercial mail appliances understand a notion of per-domain encryption settings and gracefully handle when said domains use third party mail server from ends like postini, but apparently MEG is perhaps only getting this in 7.6.1?
If anyone's slayed this dragon or can confirm what I'm seeing, I'm all ears. Thanks in advance for any insights! A support escalation has been made and has tier3 attention but so far we haven't divined any way for this in 7.0.3.
Thanks in advance for any info!