Cisco Cisco Email Security Appliance C650 Guía Del Usuario
22-10
Cisco AsyncOS 8.5.5 for Email Security User Guide
Chapter 22 Encrypting Communication with Other MTAs
Enabling TLS and Certificate Verification on Delivery
If there is no specific entry for a given recipient domain in the good neighbor table, or if there is a
specific entry but there is no specific TLS setting for the entry, then the behavior is whatever is set using
the Destination Controls page or the
specific entry but there is no specific TLS setting for the entry, then the behavior is whatever is set using
the Destination Controls page or the
destconfig -> default
subcommand (“No,” “Preferred,”
“Required,” “Preferred (Verify),” or “Required (Verify)”).
Sending Alerts When a Required TLS Connection Fails
You can specify whether the Email Security appliance sends an alert if the TLS negotiation fails when
delivering messages to a domain that requires a TLS connection. The alert message contains name of the
destination domain for the failed TLS negotiation. The Email Security appliance sends the alert message
to all recipients set to receive Warning severity level alerts for System alert types. You can manage alert
recipients via the System Administration > Alerts page in the GUI (or via the
delivering messages to a domain that requires a TLS connection. The alert message contains name of the
destination domain for the failed TLS negotiation. The Email Security appliance sends the alert message
to all recipients set to receive Warning severity level alerts for System alert types. You can manage alert
recipients via the System Administration > Alerts page in the GUI (or via the
alertconfig
command in
the CLI).
2. Preferred
TLS is negotiated from the Email Security appliance interface to the MTA(s) for
the domain. However, if the TLS negotiation fails (prior to receiving a 220
response), the SMTP transaction will continue “in the clear” (not encrypted). No
attempt is made to verify if the certificate originates from a trusted certificate
authority. If an error occurs after the 220 response is received the SMTP
transaction does not fall back to clear text.
the domain. However, if the TLS negotiation fails (prior to receiving a 220
response), the SMTP transaction will continue “in the clear” (not encrypted). No
attempt is made to verify if the certificate originates from a trusted certificate
authority. If an error occurs after the 220 response is received the SMTP
transaction does not fall back to clear text.
3. Required
TLS is negotiated from the Email Security appliance interface to MTA(s) for the
domain. No attempt is made to verify the domain’s certificate. If the negotiation
fails, no email is sent through the connection. If the negotiation succeeds, the
mail is delivered via an encrypted session.
domain. No attempt is made to verify the domain’s certificate. If the negotiation
fails, no email is sent through the connection. If the negotiation succeeds, the
mail is delivered via an encrypted session.
4. Preferred (Verify)
TLS is negotiated from the Email Security appliance to the MTA(s) for the
domain. The appliance attempts to verify the domain’s certificate.
domain. The appliance attempts to verify the domain’s certificate.
Three outcomes are possible:
•
TLS is negotiated and the certificate is verified. The mail is delivered via an
encrypted session.
encrypted session.
•
TLS is negotiated, but the certificate is not verified. The mail is delivered
via an encrypted session.
via an encrypted session.
•
No TLS connection is made and, subsequently the certificate is not verified.
The email message is delivered in plain text.
The email message is delivered in plain text.
5. Required (Verify)
TLS is negotiated from the Email Security appliance to the MTA(s) for the
domain. Verification of the domain’s certificate is required.
domain. Verification of the domain’s certificate is required.
Three outcomes are possible:
•
A TLS connection is negotiated and the certificate is verified. The email
message is delivered via an encrypted session.
message is delivered via an encrypted session.
•
A TLS connection is negotiated but the certificate is not verified by a trusted
CA. The mail is not delivered.
CA. The mail is not delivered.
•
A TLS connection is not negotiated. The mail is not delivered.
Table 22-3
TLS Settings for Delivery
TLS Setting
Meaning