There are many reasons for using TLS, but mainly to prevent a man-in-the-middle attacks while transferring data a public media (internet). The H/OS 2 mail gateways (SPG/VSP) supports the STARTTLS command if configured to do so, but do not support SSL in the sense of implicit SSL without STARTTLS (since it's deprecated). You may/should configure your own certificate to use in order to gain security, and protect against man-in-the-middle attacks. Your certificate should preferable not be self-signed (but instead bought from a trusted CA, in order for client to automatically trust your certificate). We also support TLS while delivering mail.

The VSP/SPG supports the concept of Public Key Infrastructures (using TLS) for it's SMTP listeners and to verifying remote SMTP servers. Certificates may be added on the Certificates tab in the Security section. One may add either a local certificate (in PEM format, with both the BEGIN CERTIFICATE and a BEGIN RSA PRIVATE KEY), this can be both a payed-for (from a commonly trusted CA, http://www.verisign.com) or a self-signed (http://www.openssl.org/docs/HOWTO/certificates.txt), or you may add a trusted remote certificate (Public Key). Adding a trusted remote certificate is only necessary if the certificate is self-signed and cannot be verified otherwise.

For mail transports if the remote certificate cannot be verified (self-signed) we will query our internal database of trusted remote certificates.

Generate Self-Signed Certificates

You may create a self-signed certificate on the VSP/SPG, go to Diagnostics -> Command and run the "Generate Certificate" tool. Answer a few questions (country, company, name..) copy all the data including -----BEGIN RSA PRIVATE KEY----- to -----END CERTIFICATE-----. Go back to the certificates configuration page (Security -> Certificates) and create a new "Local Certificate".

Generating a 1024 bit RSA private key
.....++++++
................++++++
writing new private key to '/dev/stdout'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:SE
State or Province Name (full name) [Some-State]:VG
Locality Name (eg, city) []:Gothenburg
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Halon Security
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:Halon Support
Email Address []:support@halonsecurity.com
-----BEGIN RSA PRIVATE KEY-----
(data truncated)
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
(data truncated)
-----END CERTIFICATE-----

Install a public key using OpenSSL

Goto Security -> Certificates and install a new "Remote Certificate" containing the public key (in PEM format). You may fetch a certificate using [OpenSSL] (warning, this is not a secure way to obtain a certificate if you already is affected by a man-in-the-middle attack) instead you should extract the certificate from the original certificate installed on the server, but that is not covered in this documentation.

openssl s_client -starttls smtp -connect smtp.google.com:25 -showcerts

Use the first "-----BEGIN CERTIFICATE-----" section.