SteelHead™ Deployment Guide - Protocols : Secure SMTP Optimization
Secure SMTP Optimization
In RiOS v7.0 or later, you can securely communicate over the Internet with Secure Simple Mail Transfer Protocol (SMTPS). This chapter includes the following sections:
  • Configuring Microsoft Exchange Servers for Secure SMTP
  • Configuring the SteelHead for START-TLS Support
  • SMTP is the standard for email transport across the Internet and the standard communication method for Microsoft Exchange hub servers in Exchange 2007 to Exchange 2013. Prior to RiOS v7.0, SMTP or SMTPS was sent through the SteelHead as a pass-through connection. Because the SMTP session was set up prior to the encrypted session, you could not determine when to start SSL traffic optimization.
    RiOS v7.0 or later supports StartTLS for TLS and SSL to determine the start of an SMTPS connection and the early finish that enables the setup of encrypted (TLS or SSL) connection to terminate without disconnecting the SMTP session. This functionality provides more efficient use of the protocol, because it does not perform a handshake on every email sent using SMTPS.
    For more information about SSL, see SSL Deployments. For more information about delayed start TLS, see Mid-Session SSL Support.
    Figure 6‑1. SMTP Connection
    Figure 6‑1 shows what happens when the START-TLS command is issued after the initial SMTP connection is established. Prior to RiOS v7.0, there was no way to determine that an encrypted session had started, so traffic optimization results on the port were low. It was common to enter a pass-through rule for this connection to prevent unnecessary use of RiOS resources.
    In RiOS v7.0 or later, support for Secure SMTP enables the SteelHead to intercept the START-TLS message after it is issued, which enables the SteelHead to optimize native Secure SMTP traffic.
    Figure 6‑2. Secure SMTP Connection Setup using TLS
    Figure 6‑2 shows the setup of an SMTPS session. First, an unencrypted SMTP session is intercepted and optimized through the SteelHead. When the START-TLS is issued, RiOS recognizes that a secure session is imminent and begins the necessary operations to optimize the SSL or TLS session. For more information about SSL optimization, see SSL Deployments.
    Despite having TLS in the name, START-TLS does not mean TLS is necessarily used. Both SSL and TLS are acceptable protocols for securing the communication. If you use TLS 1.1 or 1.2, use the protocol ssl backend client-tls-1.2, protocol ssl backend server-tls-1.2, and secure-peering peer-tls-1.2 commands on both the client-side and server-side SteelHead.