Using the TLS protocol in the operation of Kaspersky Secure Mail Gateway

This section contains information about using the TLS protocol in the operation Kaspersky Secure Mail Gateway and instructions on how to configure the protocol usage settings.

About using the TLS protocol in the operation of Kaspersky Secure Mail Gateway

TLS (Transport Layer Security) protocol is a protocol for encrypting the connection between two servers, which ensures secure transmission of data between network nodes on the Internet.

TLS session is a sequence of the following events:

1. The server from which email messages are sent (Client) establishes a connection to the server to which email messages are sent (Server).
2. Servers start interacting via the SMTP protocol.
3. The Client uses the STARTTLS command to offer the Server to use TLS during SMTP interaction.
4. If the Server is able to use TLS, it responds with the STARTTLS command and sends the certificate of the Server to the Client.
5. The Client receives the certificate and, if the relevant parameter values are specified in it, verifies the authenticity of the Server certificate.
6. The Client and the Server enable the data encryption mode.
7. The servers exchange data.
8. The session ends.

You can configure TLS security mode for situations when Kaspersky Secure Mail Gateway receives messages from another server (acts in the Server role) and sends messages to another server (acts in the Client role), as well as configure TLS settings for individual domains and domain groups that use the same IP address.

Configuring TLS security for Kaspersky Secure Mail Gateway in Server role

To configure TLS security mode for situations when Kaspersky Secure Mail Gateway receives messages from another server (acts in the Server role):

1. In the main window of the application web interface, open the management console tree and select the Domains section.
2. Click any link to open the TLS settings window.
3. In the Server TLS security level settings group, select one of the following modes of TLS encryption of the connection between Kaspersky Secure Mail Gateway and the server that sends email messages:
   • No TLS Encryption if you do not want to use TLS encryption of the connection to the server that sends email messages.

     In this case, Kaspersky Secure Mail Gateway receives all messages in unencrypted form.

   • Accept TLS Encryption if you want Kaspersky Secure Mail Gateway to offer TLS encryption of the connection to the server that sends email messages.

     In this case, Kaspersky Secure Mail Gateway uses the STARTTLS command to offer the server that sends email messages to use TLS encryption, but accepts messages regardless of the server's response.

   • Require TLS Encryption if you want Kaspersky Secure Mail Gateway to require the server that sends email messages to use TLS encryption of the connection.

     In this case, the server that is sending email messages (Client) uses the STARTTLS command to offer Kaspersky Secure Mail Gateway to use TLS encryption. Kaspersky Secure Mail Gateway responds with the STARTTLS command and sends the Server certificate to the Client and also requires the Client to verify the authenticity of the Server certificate. The encrypted TLS connection is established after the Client has verified the authenticity of the Server certificate.

4. In the Providing Server TLS certificate settings group, select the TLS certificate of the server to be sent by Kaspersky Secure Mail Gateway to the Client for authentication at the beginning of each TLS session.

   You can create or import a TLS certificate in the Encryption keys section, TLS subsection of the main window of the Kaspersky Secure Mail Gateway web interface.

5. In the Requesting Client TLS certificate settings group, select one of the following options:
   • Do not request if you want Kaspersky Secure Mail Gateway not to request the client's TLS certificate.
   • Request if you want Kaspersky Secure Mail Gateway to request the client's TLS certificate but to still be able to redirect messages regardless of the certificate verification result.
   • Require if you want Kaspersky Secure Mail Gateway to require the client's TLS certificate and not forward messages on detecting an invalid name or invalid TLS certificate of the client.

     Set the Request or Require mode only if you are certain that the clients supported by your mail server can provide a verifiable TLS certificate.

6. Click OK.

Configuring TLS security for Kaspersky Secure Mail Gateway in Client role

To configure TLS security mode for situations when Kaspersky Secure Mail Gateway redirects messages from another server (acts in the Client role):

1. In the main window of the application web interface, open the management console tree and select the Domains section.
2. Click any link to open the TLS settings window.
3. In the Client TLS security level settings group, select one of the following modes of TLS encryption of the connection between Kaspersky Secure Mail Gateway and the server that receives email messages:
   • No TLS Encryption if you do not want to use TLS encryption of the connection to the server that receives email messages.

     In this case, Kaspersky Secure Mail Gateway redirects all messages in unencrypted form.

   • Attempt TLS Encryption if you want Kaspersky Secure Mail Gateway to attempt establishing a TLS session with the receiving mail server and—if the receiving server does not support TLS—redirect messages in unencrypted form.
   • Require TLS Encryption and don't verify certificate if you want Kaspersky Secure Mail Gateway to redirect messages only if the receiving mail server supports TLS, but regardless of the authenticity of its TLS certificate.
   • Require TLS Encryption and verify certificate if you want Kaspersky Secure Mail Gateway to redirect messages only if the receiving mail server supports TLS, its TLS certificate has been verified, and the certificate name matches the domain name of the server.

     Kaspersky Secure Mail Gateway does not redirect messages when these conditions are not satisfied.

4. Click OK.

Creating a TLS certificate

To create a TLS certificate:

1. In the main window of the application web interface, open the management console tree and select the Encryption Keys section and TLS subsection.
2. Click the Create button in the upper part of the workspace.

   The Create TLS certificate window opens.

3. In the TLS certificate name, type the name of the TLS certificate to be sent to the SMTP client for authentication at the beginning of each TLS session.

   The TLS certificate of the server is provided when Kaspersky Secure Mail Gateway acts in the role of a mail server (receives messages).

   The TLS certificate name cannot be blank.

4. In the Country code field, type the two-letter code of the country in which your organization is located.

   For example, you can type RU for Russia or US for the USA.

5. In the State field, type the name of the state or region where your organization is located.
6. In the Locality field, type the name of the city where your organization is located.
7. In the Organization Unit field, type the name of the organizational unit for which you are creating the TLS certificate.
8. In the Email address field, specify the email address of the Kaspersky Secure Mail Gateway administrator.
9. Click OK.

The TLS certificate you have created appears in the list of TLS certificates in the workspace of the main window of the application web interface.

Deleting a TLS certificate

To delete a TLS certificate:

1. In the main window of the application web interface, open the management console tree and select the Encryption Keys section and TLS subsection.
2. In the list of TLS certificates, select the check box next to the name of one or several certificates that you want to delete.
3. Click the Delete button in the upper part of the workspace.

   The Delete action confirmation window opens.

4. Click Yes.

   The Delete window closes.

The TLS certificate is deleted.

Preparing a self-signed TLS certificate for import

A self-signed TLS certificate intended to be imported into Kaspersky Secure Mail Gateway must meet the following requirements:

• The certificate file must have a unique name in the list of certificates used in Kaspersky Secure Mail Gateway.
• The certificate file and the private key file must be in PEM format.
• The key length must be 1024 bits or longer.

By way of an example, below are instructions on how to prepare for import the self-signed TLS server certificate server_cert.pem, whose private key is contained in the key.pem file.

To prepare a self-signed TLS certificate for import into Kaspersky Secure Mail Gateway:

1. In the private key file, remove the password (if any) for accessing the certificate. To do so, execute the command:

   # openssl rsa -in <name of the private key file>.pem -out <name of the private key file with the password removed>.pem

   For example, you can execute the following command:

   # openssl rsa -in key.pem -out key-nopass.pem

2. Combine the private key and the server certificate in a single file. To do so, execute the command:

   % cat <name of the private key file with the password removed>.pem <name of the server certificate>.pem <name of the server certificate after the files were combined>.pem

   For example, you can execute the following command:

   % cat key-nopass.pem server_cert.pem > cert.pem

The self-signed TLS certificate (for example, cert.pem) is ready for import into Kaspersky Secure Mail Gateway.

Preparing to import a TLS certificate signed by a certification authority

A TLS certificate signed by a certification authority (CA certificate) intended for import into Kaspersky Secure Mail Gateway must meet the following requirements:

• The certificate file must have a unique name in the list of certificates used in Kaspersky Secure Mail Gateway.
• The files of the server certificate, intermediate and root CA certificates, and the private key file must be in PEM format.
• The key length must be 1024 bits or longer.
• You must have the complete certificate chain – the path from the server certificate to the roof CA certificate.

  On receiving the CA certificate, you may need to use the intermediate certificate in addition to the server certificate.

• Certificates must be specified in the certificate chain in the following order: first the server certificate followed by intermediate CA certificates.
• Intermediate certificates must not be skipped in the certificate chain.
• The certificate chain must not include any certificates unrelated to current certification.

By way of an example, below are instructions on how to prepare for import a TLS server certificate signed by a certification authority, server_cert.pem, whose private key is contained in the key.pem file. The name of the intermediate server certificate is intermediate CA. The name of the root certificate is root CA.

To prepare a TLS certificate signed by a certification authority for import into Kaspersky Secure Mail Gateway:

1. In the file of the TLS certificate, remove the password (if any) for accessing the certificate. To do so, execute the command:

   # openssl rsa -in <name of the private key file>.pem -out <name of the private key file with the password removed>.pem

   For example, you can execute the following command:

   # openssl rsa -in key.pem -out key-nopass.pem

2. Do one of the following:
   • If you are certain that the clients to which the server will provide this certificate have their own copies of the root and intermediate CA certificates, combine the private key, server certificate, intermediate and root CA certificates into a single file. To do so, execute the command:

     % cat <name of the private key file with the password removed>.pem <name of the server certificate>.pem <name of the intermediate CA certificate>.pem <name of the root CA certificate>.pem <name of the TLS certificate after the files were combined>.pem

     For example, you can execute the following command:

     % cat key-nopass.pem server_cert.pem intermediate_CA.pem root_CA.pem > cert.pem

   • If you are not sure that the clients to which the server will provide this certificate have their own copies of the root and intermediate CA certificates, combine the private key and server certificate into a single file. To do so, execute the command:

     % cat <name of the private key file with the password removed>.pem <name of the server certificate>.pem <name of the server certificate after the files were combined>.pem

     For example, you can execute the following command:

     % cat key-nopass.pem server_cert.pem > cert.pem

The TLS certificate signed by the certification authority (for example, cert.pem) is ready for import into Kaspersky Secure Mail Gateway.

Importing the TLS certificate from file

Before importing TLS certificates via the web interface of Kaspersky Secure Mail Gateway, you have to prepare them for import.

You can prepare certificates of the following types for import:

• Self-signed TLS certificate
• TLS certificate signed by a certification authority (hereinafter also “CA certificate”).

Self-signed certificates are normally used to test and debug SSL and TLS encryption of connections. You are advised to use certificates signed by a certification authority (CA certificates) on public servers.

To import a TLS certificate from file:

1. In the main window of the application web interface, open the management console tree and select the Encryption Keys section and TLS subsection.
2. Click the Import from file button in the upper part of the workspace.

   The Import TLS certificate window opens.

3. In the TLS certificate name field, type the name that you want to assign to the TLS certificate being imported.
4. Click the Browse button to the right of the Choose TLS certificate file field.

   The file selection window opens in the web browser that you use.

5. Choose the file of the TLS certificate that you want to import and click the Open button in your web browser.

   The certificate file (Preparing a self-signed TLS certificate for import, Preparing to import a TLS certificate signed by a certification authority) must contain the TLS certificate and a private TLS key with the pem extension. The private key must not be encrypted or password-protected.

   The file selection window closes.

6. Click OK.

   The Import TLS certificate window closes.

The TLS certificate appears in the list of TLS certificates in the workspace of the main window of the application web interface.