Cisco Cisco Email Security Appliance X1070 User Guide

If there is no specific entry for a given recipient domain in the good neighbor 
table, or if there is a specific entry but there is no specific TLS setting for the 
entry, then the behavior is whatever is set using the Destination Controls page or 
the 

destconfig -> default

 subcommand (“No,” “Preferred,” “Required,” 

“Preferred (Verify),” or “Required (Verify)”). 

TLS is negotiated from the IronPort appliance to the MTA(s) 
for the domain. The appliance attempts to verify the domain’s 
certificate. 

Three outcomes are possible:

TLS is negotiated and the certificate is verified. The mail 
is delivered via an encrypted session.

TLS is negotiated, but the certificate is not verified. The 
mail is delivered via an encrypted session.

No TLS connection is made and, subsequently the 
certificate is not verified. The email message is delivered 
in plain text. 

TLS is negotiated from the IronPort appliance to the MTA(s) 
for the domain. Verification of the domain’s certificate is 
required.

Three outcomes are possible:

A TLS connection is negotiated and the certificate is 
verified. The email message is delivered via an encrypted 
session.

A TLS connection is negotiated but the certificate is not 
verified by a trusted CA. The mail is not delivered.

A TLS connection is not negotiated. The mail is not 
delivered.