Cisco Cisco Email Security Appliance C650 Guía Del Usuario
23-9
Cisco AsyncOS 9.0 for Email User Guide
Chapter 23 Encrypting Communication with Other MTAs
Enabling TLS and Certificate Verification on Delivery
Note that this example asks you to use the
certconfig
command to ensure that there is a valid certificate
that can be used with the listener. If you have not created any certificates, the listener uses the
demonstration certificate that is pre-installed on the appliance. You may enable TLS with the
demonstration certificate for testing purposes, but it is not secure and is not recommended for general
use. Use the
demonstration certificate that is pre-installed on the appliance. You may enable TLS with the
demonstration certificate for testing purposes, but it is not secure and is not recommended for general
use. Use the
listenerconfig -> edit -> certificate
command to assign a certificate to the listener.
Once you have configured TLS, the setting will be reflected in the summary of the listener in the CLI:
Step 4
Issue the
commit
command to enable the change.
Enabling TLS and Certificate Verification on Delivery
You can require that TLS is enabled for email delivery to specific domains using the Destination
Controls page or the
Controls page or the
destconfig
command.
In addition to TLS, you can require that the domain’s server certificate is verified. This domain
verification is based on a digital certificate used to establish the domain’s credentials. The validation
process involves two validation requirements:
verification is based on a digital certificate used to establish the domain’s credentials. The validation
process involves two validation requirements:
•
The chain of issuer certificates for the SMTP session ends in a certificate issued by a trusted
certificate authority (CA).
certificate authority (CA).
•
The Common Name (CN) listed on the certificate matches either the receiving machine's DNS name
or the message's destination domain.
or the message's destination domain.
- or -
The message's destination domain matches one of the DNS names in the certificate's Subject
Alternative Name (subjectAltName) extension, as described in RFC 2459. The matching supports
wildcards as described in section 3.1 of RFC 2818.
Alternative Name (subjectAltName) extension, as described in RFC 2459. The matching supports
wildcards as described in section 3.1 of RFC 2818.
A trusted CA is a third-party organization or company that issues digital certificates used to verify
identity and distributes public keys. This provides an additional level of assurance that the certificate is
issued by a valid and trusted identity.
identity and distributes public keys. This provides an additional level of assurance that the certificate is
issued by a valid and trusted identity.
You can configure your Email Security appliance to send messages to a domain over a TLS connection
as an alternative to envelope encryption. See the “Cisco Email Encryption” chapter for more
information.
as an alternative to envelope encryption. See the “Cisco Email Encryption” chapter for more
information.
Name: Inboundmail
Type: Public
Interface: PublicNet (192.168.2.1/24) TCP Port 25
Protocol: SMTP
Default Domain:
Max Concurrency: 1000 (TCP Queue: 50)
Domain map: disabled
TLS: Required