On the DDEI web console, there are three options that can be selected in Administration > Mail Settings > Connections > Transport Layer Security:

Click image to enlarge

• Enable incoming TLS

  By default, this one is not checked, it means DDEI does not use TLS. If upstreamMTA must use TLS for mail transfer, it will fail to send the email to DDEI and returns an error message similar to the following:

  :

  TLS is required, but was not offered by host 192.168.37.155[192.168.37.155]

  If this option is checked, it means DDEI uses TLS opportunistically. The TLS connection will be established between DDEI and upstream MTA whenever possible.

• Only accept SMTP connection through TLS

  This option can only be checked when the "Enable incoming TLS" option is checked.

  If this option is checked, the TLS connection is mandatory between DDEI and the upstream MTA. If the upstream MTA does not use TLS, the connection will fail.

• Enable outgoing TLS

  By default, this option is not selected, it means DDEI does not use TLS for outgoing emails. If downstream MTA must use TLS, DDEI will fail to send the email to the downstream MTA.

  If this option is selected, and the downstream MTA does not use TLS, DDEI cannot send the email to it and returns an error message similar to the following:

  Jan 25 10:03:24|1548410604|ddei31en155 postfix/smtp[30521]: B46B1B213F6: to=<daniel_zhai@cncorelab.com>, relay=192.168.37.109[192.168.37.109]:25, delay=4, delays=3.8/0.01/0.1/0.08, dsn=4.7.0, status=deferred (host 192.168.37.109[192.168.37.109] said: 421 4.7.0 <cncorelabtest@sina.com>: Sender address rejected: Must not use TLS (in reply to MAIL FROM command))