Cisco Cisco Email Security Appliance X1050 Guía Del Usuario
20-9
Cisco AsyncOS 8.0.1 for Email User Guide
Chapter 20 Encrypting Communication with Other MTAs
Enabling TLS and Certificate Verification on Delivery
Step 4
Issue the
commit
command to enable the change.
Enabling TLS and Certificate Verification on Delivery
You can require that TLS is enabled for email delivery to specific domains using the Destination
Controls page or the
Controls page or the
destconfig
command.
In addition to TLS, you can require that the domain’s server certificate is verified. This domain
verification is based on a digital certificate used to establish the domain’s credentials. The validation
process involves two validation requirements:
verification is based on a digital certificate used to establish the domain’s credentials. The validation
process involves two validation requirements:
•
The chain of issuer certificates for the SMTP session ends in a certificate issued by a trusted
certificate authority (CA).
certificate authority (CA).
•
The Common Name (CN) listed on the certificate matches either the receiving machine's DNS name
or the message's destination domain.
or the message's destination domain.
- or -
The message's destination domain matches one of the DNS names in the certificate's Subject
Alternative Name (subjectAltName) extension, as described in RFC 2459. The matching supports
wildcards as described in section 3.1 of RFC 2818.
Alternative Name (subjectAltName) extension, as described in RFC 2459. The matching supports
wildcards as described in section 3.1 of RFC 2818.
A trusted CA is a third-party organization or company that issues digital certificates used to verify
identity and distributes public keys. This provides an additional level of assurance that the certificate is
issued by a valid and trusted identity.
identity and distributes public keys. This provides an additional level of assurance that the certificate is
issued by a valid and trusted identity.
You can configure your Cisco appliance to send messages to a domain over a TLS connection as an
alternative to envelope encryption. See the “Cisco Email Encryption” chapter in the Cisco IronPort
AsyncOS for Email Configuration Guide for more information.
alternative to envelope encryption. See the “Cisco Email Encryption” chapter in the Cisco IronPort
AsyncOS for Email Configuration Guide for more information.
You can specify a certificate for the appliance to use for all outgoing TLS connections. To specify the
certificate, click Edit Global Settings on the Destination Controls page or use
certificate, click Edit Global Settings on the Destination Controls page or use
destconfig -> setup
in
the CLI. The certificate is a global setting, not a per-domain setting.
You can specify 5 different settings for TLS for a given domain when you include a domain using the
Destination Controls page or the
Destination Controls page or the
destconfig
command. In addition to specifying whether exchanges
with a domain are required or preferred to be TLS encoded, you can dictate whether validation of the
domain is necessary. See
domain is necessary. See
for an explanation of the settings.
Table 20-3
TLS Settings for Delivery
TLS Setting
Meaning
Default
The default TLS setting set using the Destination Controls page or the
destconfig -> default
subcommand used for outgoing connections from the
listener to the MTA for the domain.
The value “Default” is set if you answer “no” to the question: “Do you wish to
apply a specific TLS setting for this domain?”
apply a specific TLS setting for this domain?”
1. No
TLS is not negotiated for outgoing connections from the interface to the MTA
for the domain.
for the domain.