Why do I get delivery errors when I enable TLS Encryption in the SMTP-Proxy?
When you enable explicit TLS encryption in your SMTP-proxy, traffic that is sent to a mail server that does not support TLS is not delivered. This occurs when the encryption rule for an outgoing SMTP-proxy action is configured with the default Sender Encryption setting of Optional and the default Recipient Encryption setting of Allow.
Because the SMTP-proxy sends the STARTTLS command that is requested by the sending client to the receiving mail server, but the receiving mail server does not support TLS encryption, the receiving mail server responds with a 5xx error message and terminates the session without accepting the traffic.
Modify the SMTP-Outgoing Proxy Action
Change the settings for the SMTP-Outgoing proxy action default rule from Optional-Allowed to None-Preferred. When you select this setting, the encryption rule attempts to use TLS encryption when an SMTP connection is established to the recipient mail server, but a TLS encrypted connection is not required from the sender mail server. If you want traffic from the sender to be encrypted, select a Sender Encryption setting of Optional.
From the SMTP Proxy Action Configuration dialog box for the SMTP-Outgoing proxy action:
Modify the SMTP-Incoming Proxy Action
Change the settings for the SMTP-Incoming proxy action default rule from Optional-Allowed to Optional-None. When you select this setting , the encryption rule allows a sending client to deliver mail with TLS encryption to the Firebox, with an unencrypted connection between the Firebox and the mail server. If you want traffic from the recipient to be encrypted, select a Recipient Encryption setting of Preferred.
From the SMTP Proxy Action Configuration dialog box for the SMTP-Incoming proxy action:
For more information about TLS encryption for the SMTP-proxy, see: