Create a Post
Showing results for 
Search instead for 
Did you mean: 

Email MTA setup

I am really just looking to know, which certificate from my Exchange server should I be importing into the MTA configuration for TLS decryption/encryption? I was going to use a .cer certificate I exported for use in another area in my Checkpoint console for sending emails, but it looks like the MTA configuration wants a p12 cert. Screenshot attached for clarity.

4 Replies

I'm assuming you're configuring the MTA feature for the incoming mail flow, so been that case you'll need the certificate from your public MTA (usually an anti-spam placed in the DMZ statically nated to a public IP address), in order to allow the gateway to inspect the mails inside the TLS session before arrives on the perimeter. 

To verify the MTA's public IP for your domain you can check it out here: MX Lookup Tool - Check your DNS MX Records online - MxToolbox 

I don't know which certificate you would need if your Check Point gateway is in fact your public MTA... Or maybe in that case you wouldn't need to enable SMTP/TLS at all, some other user maybe can confirm or rectify me.

The certificate format allowed for import from your public MTA depends on which type of mail server you're using. If it's a Postfix should be pretty straightforward and you can check in the configuration files where the cert and keyfile are located.

For others solutions you should check the corresponding manuals and maybe you'll need to convert the original certificate format (usually it cames as binary, like .crt, .cer or .pem) to P12 (and you can use your Check Point box for it, as it includes OpenSSL binaries):

# cpopenssl pkcs12 -export -out cert.p12 -in cert.cer -inkey keyfile

(and as you can see, you will need the private key file corresponding for that certificate).

Hope it helped.

0 Kudos

Thank you, to confirm, this would be for incoming mail flow. Thinking that through now, I use a Symantec cloud service for anti-spam, so my MX points to them and then they of course forward to mail to my Exchange. 

Would I need the cert from Symantec or from my Exchange (public side)?

0 Kudos

Hi Tim, yes, you should get the certificate used by Symantec. And, depending on the supported format for importation, then you'll maybe have to convert it to .p12. You could refer to the documentation of the cloud service in order to know how to get the certificate and which formats supports (I personally have to done something similar, but with TrendMicro cloud service).

For the next hop of the mail flow (the forward to Exchange server) you don't need any certificate, as the gateway has already decrypted the TLS session to inspect the mails (and more importantly, block malicious emails). 

To you get a better understanding of the TLS configuration for the MTA setup, think in HTTPS inspection: in order to allow the gateway to inspect HTTPS traffic, it needs the certificate used by the clients to allow the decryption of the HTTPS session and finally enable then the inspection. This is (roughly) the same case.

Employee Alumnus
Employee Alumnus

Hi Tim,

this is the diagram if I understood correctly:

      Symantec Cloud MTA <-> Check Point MTA <-> Internal Exchange

So if we take a look at the incoming mail flow:

      Symantec Cloud MTA -> Check Point MTA -> Internal Exchange

The Symantec MTA wants to start a TLS encrpyted SMTP session with the Check Point MTA. So it requests the public certificate from the Check Point MTA to encrypt the emails with. The Check Point MTA will send his public key part from the .p12 certificate to the Symantec MTA.

The .p12 certificate you imported here includes a public key - for the sending mail server to encrypt mails TO the CP MTA - and a private key for the CP MTA to decrypt the emails.

So now the flow is as follows:

      Symantec Cloud MTA (encrypts mails with public key of CP MTA) -> Check Point MTA (decrypts incoming mails from       Symantec MTA with its private key) -> Internal Exchange

Last step if you want to also make the CP MTA to try to encrypt outgoing mails to your internal mailserver is this:

If you need outgoing email encryption add the following line to $FWDIR/conf/ and reinstall the TP policy on the gateway:




Don´t use other Postfix TLS parameters like smtp_tls_security_level=may because they may cause serious issues e.g. bypassing TE

Now your incoming mail flow is fully encrypted.

Regards Thomas


Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events