Cisco Cisco Email Security Appliance C370D Weißbuch
© 2016 Cisco and/or its affiliates. All rights reserved.
5
•
Upload the CSR to your Certificate Authority
3. Installing the certificate you received from the Certificate Authority:
•
Obtain the SSL certificate issued from your CA
•
Per the screenshot above, click the
“Browse” button below “Upload
Signed Certificate” in order to upload the certificate from your
Certificate Authority to Cisco Email Security
•
Expand the “Intermediate Certificate (Optional)” area to upload any
intermediate certificates required by your certificate authority
•
Click
Submit
At this point your new certificate is now installed.
How to Enable TLS for Incoming Emails
This diagram shows the flow of TLS messages between servers:
Sending Server
Your Mail Server
Email Protection Service
TLS
SMTP?
TLS?
1
2
You must enable TLS for any listeners where you require encryption
for inbound connections. You might want to enable TLS on listeners
that face the Internet (public listeners), but not for listeners for internal
systems (private listeners).
Or, you might want to enable encryption for all listeners. By default,
neither private nor public listeners allow TLS connections. You must
enable TLS in a listener’s Host Access Table (HAT) in order to enable
TLS for either inbound (receiving) or outbound (sending) email. In
addition, the mail flow policy settings for private and public listeners
have TLS turned ‘off’ by default.
You can specify three different settings for TLS on a listener:
Setting
Meaning
None
TLS is not allowed for incoming connections.
Connections to the listener do not require encrypted
Simple Mail Transfer Protocol (SMTP) conversations.
This is the default setting for all listeners you configure
on the appliance.
Preferred
TLS is allowed for incoming connections to the listener
from Message Transfer Agents (MTAs).
Required
TLS is allowed for incoming connections to the listener
from MTAs, and until a STARTTLS command is received,
the Cisco Email Security Solutions responds with an
error message to every command other than No Option
(NOOP), EHLO, or QUIT. If TLS is 'Required' it means
that email which the sender does not want encrypted
with TLS will be refused by the Cisco Email Security
Solutions before it is sent, which thereby prevents it from
be transmitted in the clear.
Enable TLS on a HAT Mail Flow Policy for a Listener via the
Graphical User Interface (GUI)
Complete these steps:
1. From the Mail Flow Policies page, choose a listener whose policies
you want to modify and then click the link for the name of the policy
to edit. (You can also edit the Default Policy Parameters.) The Edit
Mail Flow Policy page is displayed.
How-To Secure Communications -
Setting Up Transport Layer Security (TLS)
Cisco Public