Cisco Cisco Email Security Appliance X1050 Information Guide

When using TLS to deliver email via a Cisco Email Security Appliance (ESA) you can choose to
perform certificate verification using either the 'Verify' or 'Hosted Verify' options.  This is a crucial
part of securing the delivery of emails over TLS, and it is important to know how this verification is
performed.

There are actually two algorithms, one for the 'Verify' option, and the other for the 'Hosted Verify'
option.  Typically the 'Hosted Verify' option is recommended as it is compatible with a larger
variety of scenarios.

This documentation is based on AsyncOS 8.0.1 and later versions.  Prior versions of
AsyncOS may have somewhat different behavior.

●

Unless otherwise specified, wildcard matches are supported

●

Each algorithm stops after a successful match and subsequent checks are not evaluated

●

The CLI command tlsverify uses the 'Verify Algorithm'

●

CN: This is the Common Name, part of the certificate's subject

●

SAN: This is the Subject Alternate Name extension to X.509.  When used in this document,
we're specifically referring to any DNS names included in the SAN field.

●

Email Domain: This is the domain portion of the recipient's email address.  For example, when
delivering to 'user@example.com', the email domain is 'example.com'

●

MX Hostnames: These are the hostnames of the email domain's MX records

●

PTR Hostname: This is the hostname returned by a DNS PTR lookup of the IP address the
ESA is connecting to

●

SMTP Route Hostnames: If an SMTP route is configured for this destination, this is the
hostname used in the SMTP route

●