On the Deep Discovery Email Inspector web console, there are three options that can be selected in Administration > Mail Settings > Connections > Transport Layer Security:

Click image to enlarge

• Enable incoming TLS

  By default, this one is not checked, it means Deep Discovery Email Inspector does not use TLS. If upstreamMTA must use TLS for mail transfer, it will fail to send the email to Deep Discovery Email Inspector and returns an error message similar to the following:

  :

  TLS is required, but was not offered by host 192.168.37.155[192.168.37.155]

  If this option is checked, it means Deep Discovery Email Inspector uses TLS opportunistically. The TLS connection will be established between Deep Discovery Email Inspector and upstream MTA whenever possible.

• Only accept SMTP connection through TLS

  This option can only be checked when the "Enable incoming TLS" option is checked.

  If this option is checked, the TLS connection is mandatory between Deep Discovery Email Inspector and the upstream MTA. If the upstream MTA does not use TLS, the connection will fail.

• Enable outgoing TLS

  By default, this option is not selected, it means Deep Discovery Email Inspector does not use TLS for outgoing emails. If downstream MTA must use TLS, Deep Discovery Email Inspector will fail to send the email to the downstream MTA.

  If this option is selected, and the downstream MTA does not use TLS, Deep Discovery Email Inspector cannot send the email to it and returns an error message similar to the following:

  Jan 25 10:03:24|1548410604|ddei31en155 postfix/smtp[30521]: B46B1B213F6: to=<daniel_zhai@cncorelab.com>, relay=192.168.37.109[192.168.37.109]:25, delay=4, delays=3.8/0.01/0.1/0.08, dsn=4.7.0, status=deferred (host 192.168.37.109[192.168.37.109] said: 421 4.7.0 <cncorelabtest@sina.com>: Sender address rejected: Must not use TLS (in reply to MAIL FROM command))