Cisco Cisco Email Security Appliance X1050 Troubleshooting Guide
Control TLS Negotiation on Delivery on the ESA
Document ID: 118955
Contributed by Jerry Orona and Enrico Werner, Cisco TAC Engineers.
May 11, 2015
May 11, 2015
Contents
Introduction
Enable TLS on Delivery
TLS Setting Definitions
Enable TLS on the GUI
Enable TLS on the CLI
Enable TLS on Delivery
TLS Setting Definitions
Enable TLS on the GUI
Enable TLS on the CLI
Introduction
This document describes how to control Transport Layer Security (TLS) negotiation on delivery on the Email
Security Appliance (ESA).
Security Appliance (ESA).
As defined in RFC 3207, "TLS is an extension to the SMTP service that allows an SMTP server and client to
use transport−layer security to provide private, authenticated communication over the Internet. TLS is a
popular mechanism for enhancing TCP communications with privacy and authentication."
use transport−layer security to provide private, authenticated communication over the Internet. TLS is a
popular mechanism for enhancing TCP communications with privacy and authentication."
Enable TLS on Delivery
You can require STARTTLS for email delivery to specific domains with either one of these methods
described in this document:
described in this document:
Use the CLI destconfig command.
•
From the GUI choose Mail Policies > Destination Controls.
•
The Destination Controls page or the destconfig command allows you to specify five different settings for
TLS for a given domain when you include a domain. In addition, you can dictate whether validation of the
domain is necessary.
TLS for a given domain when you include a domain. In addition, you can dictate whether validation of the
domain is necessary.
TLS Setting Definitions
TLS Setting Meaning
Default
The default TLS setting that is set when you use the Destination Controls page or the destconfig
−> default subcommand used for outgoing connections from the listener to the Message
Transfer Agent (MTA) for the domain. The value "Default" is set if you answer no to the
question: "Do you wish to apply a specific TLS setting for this domain?"
−> default subcommand used for outgoing connections from the listener to the Message
Transfer Agent (MTA) for the domain. The value "Default" is set if you answer no to the
question: "Do you wish to apply a specific TLS setting for this domain?"
1. No
TLS is not negotiated for outgoing connections from the interface to the MTA for the domain.
2. Preferred
TLS is negotiated from the ESA interface to the MTA(s) for the domain. However, if the TLS
negotiation fails (prior to receiving a 220 response), the SMTP transaction continues "in the
clear" (not encrypted). No attempt is made to verify if the certificate originates from a trusted
certificate authority. If an error occurs after the 220 response is received, the SMTP transaction
does not fall back to clear text.
negotiation fails (prior to receiving a 220 response), the SMTP transaction continues "in the
clear" (not encrypted). No attempt is made to verify if the certificate originates from a trusted
certificate authority. If an error occurs after the 220 response is received, the SMTP transaction
does not fall back to clear text.
3. Required TLS is negotiated from the ESA interface to MTA(s) for the domain. No attempt is made to