Cisco Cisco Email Security Appliance C650 Guía Del Usuario
2-67
Cisco IronPort AsyncOS 7.3 for Email Advanced Configuration Guide
OL-23081-01
Chapter 2 Customizing Listeners
Sending Alerts When a Required TLS Connection Fails
You can specify whether the IronPort appliance sends an alert if the TLS
negotiation fails when delivering messages to a domain that requires a TLS
connection. The alert message contains name of the destination domain for the
failed TLS negotiation. The IronPort appliance sends the alert message to all
recipients set to receive Warning severity level alerts for System alert types. You
can manage alert recipients via the System Administration > Alerts page in the
GUI (or via the
negotiation fails when delivering messages to a domain that requires a TLS
connection. The alert message contains name of the destination domain for the
failed TLS negotiation. The IronPort appliance sends the alert message to all
recipients set to receive Warning severity level alerts for System alert types. You
can manage alert recipients via the System Administration > Alerts page in the
GUI (or via the
alertconfig
command in the CLI).
To enable TLS connection alerts, click Edit Global Settings on the Destination
Controls page or
Controls page or
destconfig -> setup
subcommand. This is a global setting, not
a per-domain setting. For information on the messages that the appliance
attempted to deliver, use the Monitor > Message Tracking page or the mail logs.
attempted to deliver, use the Monitor > Message Tracking page or the mail logs.
Logging
The IronPort appliance will note in the mail logs instances when TLS is required
for a domain but could not be used. Information on why the TLS connection could
not be used will be included. The mail logs will be updated when any of the
following conditions are met:
for a domain but could not be used. Information on why the TLS connection could
not be used will be included. The mail logs will be updated when any of the
following conditions are met:
•
The remote MTA does not support ESMTP (for example, it did not
understand the EHLO command from the IronPort appliance).
understand the EHLO command from the IronPort appliance).
•
The remote MTA supports ESMTP but “STARTTLS” was not in the list of
extensions it advertised in its EHLO response.
extensions it advertised in its EHLO response.
•
The remote MTA advertised the “STARTTLS” extension but responded with
an error when the IronPort appliance sent the STARTTLS command.
an error when the IronPort appliance sent the STARTTLS command.
CLI Example
In this example, the
destconfig
command is used to require TLS connections and
encrypted conversations for the domain “partner.com.” The list is then printed.