WatchGuard Support Center

Knowledge Base - Article

000014308
 Unexpected Delivery Errors from TLS Encryption with the SMTP-Proxy

Information

Why do I get delivery errors when I enable TLS Encryption in the SMTP-Proxy?

When you enable explicit TLS encryption in your SMTP-proxy, traffic that is sent to a mail server that does not support TLS is not delivered. This occurs when the encryption rule for an outgoing SMTP-proxy action is configured with the default Sender Encryption setting of Optional and the default Recipient Encryption setting of Allow.

Screen shot of the SMTP-Proxy STARTTLS Encryption settings

Because the SMTP-proxy sends the STARTTLS command that is requested by the sending client to the receiving mail server, but the receiving mail server does not support TLS encryption, the receiving mail server responds with a 5xx error message and terminates the session without accepting the traffic.

To make sure that the receiving mail server accepts all traffic from the sending client, even when TLS encryption is enabled, modify the settings for the SMTP-Outgoing proxy action and SMTP-Incoming proxy action to change the settings for the default rule.

Modify the SMTP-Outgoing Proxy Action

Change the settings for the SMTP-Outgoing proxy action default rule from Optional-Allowed to None-Preferred. When you select this setting, the encryption rule attempts to use TLS encryption when an SMTP connection is established to the recipient mail server, but a TLS encrypted connection is not required from the sender mail server. If you want traffic from the sender to be encrypted, select a Sender Encryption setting of Optional.

From the SMTP Proxy Action Configuration dialog box for the SMTP-Outgoing proxy action:

  1. Select the Enable STARTTLS for Content Inspection check box.
  2. At the bottom of the Rules list, in the Sender Encryption column, click Optional.
    A drop-down list appears.
  3. From the Sender Encryption drop-down list, select None.
  4. In the Recipient Encryption column, click Allowed.
    A drop-down list appears.
  5. From the Recipient Encryption drop-down list, select Preferred.
Screen shot of the edited rules in the SMTP proxy action

Modify the SMTP-Incoming Proxy Action

Change the settings for the SMTP-Incoming proxy action default rule from Optional-Allowed to Optional-None. When you select this setting , the encryption rule allows a sending client to deliver mail with TLS encryption to the Firebox, with an unencrypted connection between the Firebox and the mail server. If you want traffic from the recipient to be encrypted, select a Recipient Encryption setting of Preferred.

From the SMTP Proxy Action Configuration dialog box for the SMTP-Incoming proxy action:

  1. Select the Enable STARTTLS for Content Inspection check box.
  2. At the bottom of the Rules list, keep the Sender Encryption setting of Optional.
  3. In the Recipient Encryption column, click Allowed.
    A drop-down list appears.
  4. From the Recipient Encryption drop-down list, select None.
Screen shot of the edited SMTP-Incoming proxy action

For more information about TLS encryption for the SMTP-proxy, see: