SMTP over TLS with the SecureMail Gateway

SMTP over TLS with the SecureMail Gateway

An ever increasing number of mail services and services now support "opportunistic" TLS encryption for emails. When an email is delivered from one mail server to another, it can use an encrypted tunnel to send the email. Since this requires a certificate for the server and additional overhead in both computational time and network load, many services do not support TLS, and most still do not require TLS connections.
The SecureMail Gateway offers multiple methods to secure your emails. When sending to a recipient that has an S/MIME email certificate (i.e. another GlobalCerts customer), the system will utilize automatic S/MIME encryption. When sending to a recipient with no certificate capabilities, it will default to using SecureMessenger secure web portal for delivery. However, the SMG can also utilize SMTP over TLS (STARTTLS) to encrypt messages to recipients if available. The SMG administrator can specify certain recipient domains to enforce TLS encryption with, rather than using SecureMessenger.

Steps to set up a TLS connection with a partner domain:

  1. Login to your SMG administration
  2. Navigate to "Network Configuration" -> "Mail Options"
  3. In the section labelled "TLS Connection Settings" enter the partner domain(s).
  4. Click the "Set" button. Changes will take effect in 1 minute or less.
  5. Send a test message to ensure it sends successfully.

NOTE: '' will also match all sub-domains like ''. You may also enter particular users ('') rather than entire domains. If you enter a blank line in this section, it will require TLS with EVERY recipient domain.

To ensure that your emails remain encrypted from end to end, it is important that you determine that all 'hops' in the recipient's inbound mail path enforce the use of secure TLS connections or are adequately secured. Mail flows involve multiple server hops before emails finally reach the end user, and ALL of these relays should enforce strong TLS encryption. It is not enough to check that their receiving (MX) server supports TLS. For instance the organization may use a cloud based Anti-Spam/Anti-Virus as their inbound mail service which may support opportunistic TLS with incoming connections, but it may not utilize a TLS connection when relaying the message to the on-premise mail server.

Error Messages:

If the recipient domain's mail server does NOT support at least a 112-bit encrypted connection, the message will bounce back to the sender with a non-delivery report (NDR):
503 5.7.0 encryption too weak 0 less than 112

If you would like to require stronger encryption or need something more specific, please contact us for assistance.

    • Related Articles

    • SecureMail Gateway Administration

      The GlobalCerts SecureMail Gateway is administered through a secure web portal on a special port. In order to access your administration, open a browser and enter your SMG's hostname followed by port 444 into the URL bar. For example: ...
    • End User Training for the SMG

      The attached document contains detailed walkthroughs on how to send and receive secure emails using the SecureMail Gateway solution.
    • How does the SecureMail Gateway work with other S/MIME encryption solutions?

      In this article, we will explain how GlobalCerts' email encryption solutions can also work to allow you to automatically encrypt emails via S/MIME to 3rd parties that have an email certificate. We will also show how 3rd parties can encrypt emails to ...
    • How do I update the SMG's SSL Certificate?

      Please follow these instructions to update the SSL/TLS certificate on your SecureMail Gateway: Login to the web administration at Click on Certificate -> Upload in the top menu. Copy/Paste your new certificate in PEM ...
    • Routing Mail From Microsoft 365 To Your SMG

      If you are using Microsoft 365 as your mail service, setting up your mail flow to include GlobalCerts SecureMail Gateway(s) is done using a 'Connector' and routing rules. First you need to set up a connector to your SMG. Then, you'll create mail flow ...