Cisco Cisco Email Security Appliance X1050 Informationshandbuch
Contents
Introduction
How do I use TLS to secure unencrypted CRES replies?
Solution
Related Information
Introduction
This document describes how to to use Transport Layer Security (TLS) to secure replies from the
Cisco Registered Envelope Service (CRES), which allows a user to not need to decrypt them, in
association with the Cisco Email Security Appliance (ESA).
Cisco Registered Envelope Service (CRES), which allows a user to not need to decrypt them, in
association with the Cisco Email Security Appliance (ESA).
How do I use TLS to secure unencrypted CRES replies?
By default, replies to a secure email are encrypted by CRES and sent on to your mail gateway.
They then pass through to your mail servers encrypted for the user to open with their CRES
credentials.
They then pass through to your mail servers encrypted for the user to open with their CRES
credentials.
In order to avoid the need for the user to authenticate with CRES to open up the secure reply,
CRES delivers in an "unencrypted" form to mail gateways that support TLS. In most cases the
mail gateway is the ESA, and this article applies.
CRES delivers in an "unencrypted" form to mail gateways that support TLS. In most cases the
mail gateway is the ESA, and this article applies.
However, if there is another mail gateway that sits in front of the ESA such as an external spam
filter, there is no need for the certificate/TLS/mail flow configuration on your ESA. In this case, you
can skip steps 1 to 3 in the Solution section of this document. For unencrypted replies to work in
this environment, the external spam filter (mail gateway) is the appliance that needs to support
TLS. If they do support TLS, you can have CRES confirm this and get you set up for
"unencrypted" replies in order to secure emails.
filter, there is no need for the certificate/TLS/mail flow configuration on your ESA. In this case, you
can skip steps 1 to 3 in the Solution section of this document. For unencrypted replies to work in
this environment, the external spam filter (mail gateway) is the appliance that needs to support
TLS. If they do support TLS, you can have CRES confirm this and get you set up for
"unencrypted" replies in order to secure emails.
Solution
Obtain and install a signed certificate and intermediate certificate on the ESA. Note: It is
important you obtain the intermediate certificate from your signing authority as the demo
certificate that comes on the appliance causes the CRES verification process to fail.
important you obtain the intermediate certificate from your signing authority as the demo
certificate that comes on the appliance causes the CRES verification process to fail.
1.
Create a new mail flow policy: From the GUI, choose Mail Policies > Mail Flow Policies >
Add Policy....Enter a name and leave all else at default except for Security Features: TLS.
Set this to Required.
Add Policy....Enter a name and leave all else at default except for Security Features: TLS.
Set this to Required.
2.
Create a new sender group: From the GUI, choose Mail Policies > HAT Overview > Add
Sender Group....Enter a name and set order number to #1. You can also enter an optional
comment. Choose the mail flow policy you created in step 2. Leave everything else
blank.Click Submit and Add Senders >>.
Sender Group....Enter a name and set order number to #1. You can also enter an optional
comment. Choose the mail flow policy you created in step 2. Leave everything else
blank.Click Submit and Add Senders >>.
3.
In the Sender field, enter these IP ranges and hostnames:
4.
Submit and commit the changes.
5.
After you are confident the ESA is prepared for TLS from the CRES servers, follow the steps
in
in
6.