Cisco Cisco Email Security Appliance X1070 User Guide
5-255
Cisco IronPort AsyncOS 7.3 for Email Advanced Configuration Guide
OL-23081-01
Chapter 5 Email Authentication
AsyncOS provides a mechanism for signing email based on domain as well as a
way to manage (create new or input existing) signing keys.
way to manage (create new or input existing) signing keys.
The configuration descriptions in this document represent the most common uses
for signing and verification. You can also enable DomainKeys and DKIM signing
on a mail flow policy for inbound email, or enable DKIM verification on a mail
flow policy for outbound email.
for signing and verification. You can also enable DomainKeys and DKIM signing
on a mail flow policy for inbound email, or enable DKIM verification on a mail
flow policy for outbound email.
On Email Security appliances with a FIPS-compliant Hardware Security Module
(HSM) card, the signing keys are managed by the FIPS Officer through the FIPS
Management console. AsyncOS restricts the the Mail Policies > Signing Keys and
the
(HSM) card, the signing keys are managed by the FIPS Officer through the FIPS
Management console. AsyncOS restricts the the Mail Policies > Signing Keys and
the
domainkeysconfig
CLI command from generating and importing signing
keys. Signing keys are stored on the Hardware Security Module (HSM) card
offered. For more information, see
offered. For more information, see
Note
When you configure domain profiles and signing keys in a clustered environment,
note that the Domain Key Profile settings and Signing Key settings are linked.
Therefore, if you copy, move or delete a signing key, the same action is taken on
the related profile.
note that the Domain Key Profile settings and Signing Key settings are linked.
Therefore, if you copy, move or delete a signing key, the same action is taken on
the related profile.
Configuring DomainKeys and DKIM Signing
Signing Keys
A signing key is the private key stored on the Cisco IronPort appliance. When
creating a signing key, you specify a key size. Larger key sizes are more secure;
however, larger keys also can impact performance. IronPort supports keys from
512 bits up to 2048 bits. The 768 - 1024 bit key sizes are considered secure and
used by most senders today. Keys based on larger key sizes can impact
performance and are not supported above 2048 bits. For more information about
creating signing keys, see
creating a signing key, you specify a key size. Larger key sizes are more secure;
however, larger keys also can impact performance. IronPort supports keys from
512 bits up to 2048 bits. The 768 - 1024 bit key sizes are considered secure and
used by most senders today. Keys based on larger key sizes can impact
performance and are not supported above 2048 bits. For more information about
creating signing keys, see
.
Note
On Email Security appliances with a FIPS-compliant HSM card, only the 1024
and 2048 bit key sizes are available for signing keys.
and 2048 bit key sizes are available for signing keys.