Inbound TLS/SSL

• download TLS/SSL Toolkit
   
• extract CACert.pem into the CERT or the program directory
   
• extract TLSCert.pem into the CERT\PRIV or the program directory
   
• select Options->System->TLS/SSL and enable TLS/SSL for inbound messages
  
  Set the fields as follows:
   

  Certificate authority certificate file:	CACert.pem
  Server certificate file:	TLSCert.pem
  Server private key file:	TLSCert.pem

  
  Thereafter the program is ready to accept TLS/SSL negotiations from the sender.

Outbound TLS/SSL

By default outbound TLS/SSL is enabled in Options->System->TLS/SSL.

Therefore XWall will negotiate TLS/SSL with every MTA that annouces it.

Mandatory TLS/SSL

Sometimes there is the need to make a TLS/SSL connection mandatory for a specific domain.
This means that the message is not sent in the case there is a problem with the TLS/SSL connection.

To enforce TLS/SSL for domains add the following lines to XWall.ini

• for inbound connections
  
  InboundSMTPTLSReqired=trusted-sender.com
  InboundSMTPTLSReqired=hotmail.com
   
• for outbound connections
  
  OutboundSMTPTLSReqired=secure-bank.com
  OutboundSMTPTLSReqired=trusted-recipient.com
   

To enforce TLS/SSL for an IP address or a host name add the following lines to XWall.ini

• for inbound connections
  
  InboundSMTPTLSRequiredHost=mail.trusted-sender.com
  InboundSMTPTLSRequiredIP=176.12.17.0/24

Testing TLS/SSL

telnet localhost 25 [enter]

Once the connection is established type

EHLO something [enter]

and XWall shows all ESMTP capabilties.

This looks somethig like:

250-yourserver.domain.com
250-ENHANCEDSTATUSCODES
250-ETRN
250-DSN
250-PIPELINING
250-8BITMIME
250-PRIORITY
250-CHUNKING
250-STARTTLS
250-SIZE
250 XXWALL30


If 250-STARTTLS is present, the sender can negotiateTLS. Else the logfile of XWall will show you the reason why the certificate couldn't be initialized.