3.2 Configuring TLS

For production MetaDefender Email Gateway Security deployments a more sophisticated TLS configuration is recommended than what is described below. Please consult the nginx documentation on Configuring HTTPS servers for further details.

It is not recommended to use self-signed certificates in production environments. If you do not have a suitable certificate, you can apply to a Certificate Authority to obtain one.

Digital ID

To keep the solution simple, MetaDefender Email Gateway Security uses a single private/public key pair as its digital identifier.

This digital ID –the same certificate– is used when MetaDefender Email Gateway Security acts either as a server or as a client.

Key and certificate files must be in PEM format.

Key and certificate files

The following files of the digital ID must be placed on the following paths in the server's file system:

 

Path

Private key

<install base>\data\key.pem

Example:

C:\Program Files\OPSWAT\Metadefender Email Security\data\key.pem

Certificate

<install base>\data\cert.pem

Example:

C:\Program Files\OPSWAT\Metadefender Email Security\data\cert.pem

Private key and certificate

<install base>\data\tls.pem

Example:

C:\Program Files\OPSWAT\Metadefender Email Security\data\tls.pem

Inbound connections

Web Management Console

MetaDefender Email Gateway Security supports accessing Web Management Console via HTTPS. This feature is, however, not enabled by default. To enable the TLS/HTTPS you should modify MetaDefender Email Gateway Security configuration by following the next steps.

Let us assume that MetaDefender Email Gateway Security is installed in:

C:\Path\To\Metadefender Email Security

To simply enable TLS:

  1. Create file ssl.conf in the directory C:\Path\To\MetaDefender Email Security\nginx.

  2. Add the following lines:

    ssl on;
    ssl_certificate "C:\Path\To\MetaDefender Email Security\data\cert.pem";
    ssl_certificate_key "C:\Path\To\MetaDefender Email Security\data\key.pem";
  3. Restart MetaDefender Email Gateway Security service.

Inbound SMTP service

MetaDefender Email Gateway Security's SMTP service can be configured to use TLS encryption for increased security. For details see 3.2.1 Inbound TLS support.

Outbound connections

TLS for outbound connections can be set up at the appropriate server profile. For details see 3.7 Server profiles.

In case of outbound connections the servers certificate must always be trusted by the client.

In practice it means that either the CA certificate –that was used for signing the server's certificate–, or the server's certificate itself must be installed in the Email Gateway Security's operating system's trusted certificate store.

Connection to Core

To connect to a Core server over TLS perform the following steps:

  1. Configure the Core server to listen on HTTPS. For details see 3.8. Configuring TLS/SSL,

  2. Add this Core to your server profiles using https scheme. For details see 3.7 Server profiles.

Outbound SMTP

To connect to an SMTP server over TLS first you need to decide which favour to use: StartTLS (TLS over SMTP) or SMTPS (SMTP over TLS).

Due to security considerations always prefer SMTPS to StartTLS whenever possible.

StartTLS

In case of StartTLS you still need to decide whether using StartTLS is just an option or it is mandatory.

Optional StartTLS

If StartTLS is optional then the client will try to establish the TLS connection, and if it fails, then the connection will fail over to a clear text connection.

To connect to an SMTP server using optional StartTLS perform the following steps:

  1. Configure the SMTP server to either

    1. Support StartTLS – in this case clear text SMTP connections will be upgraded to TLS; or

    2. Not support StartTLS – in this case SMTP connections will be fall back to clear text.

  2. Add this SMTP server to your server profiles

    1. Using smtp scheme, with

    2. TRANSPORT LEVEL ENCRYPTION set to STARTTLS optional.

    3. For details see 3.7 Server profiles.

Mandatory StartTLS

If StartTLS is mandatory then the client will try to establish the TLS connection, and if it fails, then the connection will fail.

To connect to an SMTP server using mandatory StartTLS perform the following steps:

  1. Configure the SMTP server to Support StartTLS;

  2. Add this SMTP server to your server profiles

    1. Using smtp scheme, with

    2. TRANSPORT LEVEL ENCRYPTION set to STARTTLS required.

    3. For details see 3.7 Server profiles.

SMTPS

In case of SMTPS, the TLS handshake comes first, and if (and only if) it succeeds, then the SMTP connection is established over the TLS.

To connect to an SMTP server over TLS perform the following steps:

  • Configure the SMTP server to listen on SMTPS.

  • Add this SMTP server to your server profiles using smtps scheme. For details see 3.7 Server profiles.