Skip to main content
Contact Us
My preferencesSign out
Proofpoint, Inc.

How TLS Delivery Occurs

  1. Last updated
  2. Save as PDF
Situation You want to use TLS to ensure secure mail transport for your outbound mail.
Solution

This describes TLS behavior from a Proofpoint Sender and Recipient point of view, and explains the secondary action options:

  • Enforce completely secure SMTP delivery
  • Enforce only TLS on SMTP delivery

 

General TLS informaiton

As of April 2023, Proofpoint Essentials only supports TLS v1.2 or higher, along with a subset of secure ciphers. 

  • If the endpoint we are connecting does not advocate TLS v1.2 or higher, we will not connect.
  • If the endpoint does not use one of the ciphers we use, it will not connect.

The endpoint will have to upgrade their TLS version and/or upgrade their cipher suite. If this is not possible, then TLS may not be possible to use in this case.

TLS Outbound

This is Proofpoint's sender perspective

Most customers will want to utilize TLS for outbound, to ensure a secure mail transport.

  • By default, the Proofpoint Essentials outbound relay will use opportunistic TLS for initial sending.
  • If the recipient server is not accepting our TLS session, we will fallback to standard transport and deliver anyway.

If an outbound filter is created then the condition should be based on the recipient domain (not the Proofpoint customer). The action should be Nothing, and the secondary action can be either of the following options:

Enforce Completely Secure SMTP Delivery

  • The sender must have a valid certificate in place.
  • The domain name using to send must match the exact same domain on the certificate, unless it is a wild card certificate.
  • If there is no certificate, we will not delivery the email.

 Enforce Only TLS on SMTP Delivery

  • No certificate required. The downstream server simply needs to accept the traffic over TLS.
  • If the downstream server does not accept TLS, we will not deliver the email.

TLS Inbound 

This is Proofpoint's recipient perspective and ensures that mail from the Proofpoint environment to the customer's mail server environment is over TLS. By default, we attempt this over TLS to begin with.

If an inbound filter is created then the condition should be based on the recipient (the Proofpoint customer), the action should be 'Nothing' and the secondary action can be:

Enforce Completely Secure SMTP Delivery

  • Same as above. Valid certificate with domains matching required, or we will not deliver.

Enforce Only TLS on SMTP Delivery

  •  Similar to above. No certificate required, but the server we are passing the mail off to needs to accept the TLS connection, or we will not deliver.

NOTE: Proofpoint will negotiate the TLS.  We do not do true opportunistic TLS however, which attempts the highest cipher strength and then tries the next lower cipher until either a match is made or we finally allow no TLS and connect via plain text.  Proofpoint instead, negotiates according the Cipher list configuration file and negotiates in the order listed in the config file.

 

Filter creation

Please see this KB on how to create a filter.

  • In the DO section, the first part you should use Nothing.
  • Keep in mind the above TLS items.

 

 

Last Reviewed: 2023-05-03