How can you disable TLS Encryption for all hosts instead of just a few?

The TLS SSL encryption isn't operating too well.  I've found 2 hosts I have to skip in opportunistic TLS.  How can I either a) turn opportunistic TLS off in MTA Mode, or b) add an "Any" host into the Skip TLS encryption list?  I can't add as a host in Hosts and Services - and unlike in UTM9, the XG doesn't have predefined hosts for Internet IPv4 or Internet IPv6.

I can't spend my time digging through email logs wondering what host the opportunistic TLS is going to crash on next.

  • Hi Chris,

    even if i do not recommend this it can be done this way:

    Yours Lukas

  • In reply to lna:

    Ina, thanks for the clarification.  However the netmask on that nearly any definition only defines 2 IPs. and - is that going to do the trick, like is that the way I need to input since it covers, and thus it will then be the I'm looking for, even if the subnet is /31?

    You're right, I'd much rather not have to do this as well.  Opportunistic TLS is awesome.  And when I use it in UTM9, it's great.  In XG Firewall, not so much.  I'm trying to get a bug I found with it defined in where if there are multiple recipients in a message, and the TLS encryption engine encounters an error, it freezes the message and only delivers to some (or no) recipients. 

  • In reply to Chris Shipley:

    Hi Chris,

    please take a closer look at the screenshot - it says IP Range not Network ;)

    you are not allowed to configure (undefined IP) to (broadcast) as a range therefore go plus one / minus one

    and use to --> "nearly any"


    Yours Lukas

  • In reply to lna:

    aha...  yep. right.  Thanks :)