Transport Layer Security (TLS) Peers

Transport Layer Security (TLS) is a protocol that helps to secure data and ensure communication privacy between endpoints. Trend Micro Email Security allows you to configure TLS encryption policies between Trend Micro Email Security and specified TLS peers. Trend Micro Email Security supports the following TLS protocols in descending order of priority: TLS 1.3, TLS 1.2, TLS 1.1 and TLS 1.0.

To prevent against man-in-the-middle attacks on TLS connections, DNS-based Authentication of Named Entities (DANE) is introduced to bind X.509 digital certificates, commonly used for TLS, to domain names using Domain Name System Security Extensions (DNSSEC). With the authentication inherently in DNSSEC, DANE enables a domain administrator to affirm TLS credentials to mitigate certificate authority (CA) vulnerabilities and breaches.

Trend Micro Email Security allows you to use DANE authentication between Trend Micro Email Security and specified TLS peers during outbound mail delivery.

The Transport Layer Security (TLS) Peers screen uses the following important terms:

Term

Details

Managed Domain list

Status (Managed Domain)

  • Enabled: Domain is enabled

  • Disabled: Domain is disabled

Default (for unspecified domains)

This configuration applies to all domains that are not in the managed domain list

Domain TLS Peers list

Status (TLS Peer)

  • Enabled: Trend Micro Email Security applies your specified TLS configuration to the peer

  • Disabled: Trend Micro Email Security does not apply your specified TLS configuration to the peer

    Instead, the "Default (for unspecified peers)" TLS configuration applies.

TLS peer

Trend Micro Email Security can apply your specified TLS configuration with this peer during network communications.

Security level

  • Opportunistic TLS:

    • Communicates using encryption if the peer supports and elects to use TLS

    • Communicates without encryption if the peer does not support TLS

    • Communicates without encryption if the peer supports TLS but elects not to use TLS

  • Mandatory TLS:

    • Communicates using encryption if the peer supports and elects to use TLS

    • Does not communicate if the peer does not support TLS

    • Does not communicate if the peer supports TLS but elects not to use TLS

  • Opportunistic DANE TLS (Outbound protection only)

    • When remote SMTP server has usable DANE TLSA record(s):

      • Communicates using encryption if the peer DANE authentication succeeds

      • Does not communicate if the peer does not pass DANE authentication

    • When all TLSA record(s) are unusable due to unsupported parameters or malformed data:

      Downgrades to Mandatory TLS

    • In other cases:

      Downgrades to Opportunistic TLS

  • Mandatory DANE TLS (Outbound protection only)

    • Communicates using encryption if the peer DANE authentication succeeds

    • Does not communicate if the peer does not pass DANE authentication

Default (for unspecified peers)

This configuration applies to all peers that meet any of the following criteria:

  • Peer is not in the peer list

  • Peer is in the peer list, but is not enabled