The Email Security appliance supports the use of client certificates to authenticate SMTP sessions
between the Email Security appliance and users’ mail clients. The Email Security appliance can request
a client certificate from a user’s mail client when the application attempts to connect to the appliance to
send messages. When the appliance receives the client certificate, it verifies that the certificate is valid,
has not expired, and has not been revoked. If the certificate is valid, the Email Security appliance allows
an SMTP connection from the mail application over TLS.

Organizations that require their users to use a Common Access Card (CAC) for their mail clients can use
this feature to configure the Email Security appliance to request a certificate that the CAC and
ActivClient middleware application will provide to the appliance.

You can configure the Email Security appliance to require users to provide a certificate when sending
mail, but still allow exceptions for certain users. For these users, you can configure the appliance to use
the SMTP authentication LDAP query to authenticate the user.

Users must configure their mail client to send messages through a secure connection (TLS) and accept
a server certificate from the appliance.

Related Topics

•

How to Authenticate a User with a Client Certificate, page 28-52

•

How to Authenticate a User with an SMTP Authentication LDAP Query, page 28-52

•

How to Authenticate a User with an LDAP SMTP Authentication Query if the Client Certificate is
Invalid, page 28-52