Cisco Cisco Email Security Appliance X1070 Guía Del Usuario
24-13
User Guide for AsyncOS 9.7 for Cisco Email Security Appliances
Chapter 24 Encrypting Communication with Other MTAs
Managing Lists of Certificate Authorities
Related Topics
•
Enabling TLS Connection Alerts
Procedure
Step 1
Navigate to the Mail Policies Destination Controls page.
Step 2
Click Edit Global Settings.
Step 3
Click Enable for “Send an alert when a required TLS connection fails.”
This is a global setting, not a per-domain setting. For information on the messages that the appliance
attempted to deliver, use the Monitor > Message Tracking page or the mail logs.
attempted to deliver, use the Monitor > Message Tracking page or the mail logs.
Step 4
Submit and commit your changes.
You can also configure this in the command-line interface using the destconfig -> setup command to enable
TLS connection alerts using the CLI
TLS connection alerts using the CLI
Logging
The Email Security appliance will note in the mail logs instances when TLS is required for a domain but
could not be used. Information on why the TLS connection could not be used will be included. The mail
logs will be updated when any of the following conditions are met:
could not be used. Information on why the TLS connection could not be used will be included. The mail
logs will be updated when any of the following conditions are met:
•
The remote MTA does not support ESMTP (for example, it did not understand the EHLO command
from the Email Security appliance).
from the Email Security appliance).
•
The remote MTA supports ESMTP but “STARTTLS” was not in the list of extensions it advertised
in its EHLO response.
in its EHLO response.
•
The remote MTA advertised the “STARTTLS” extension but responded with an error when the
Email Security appliance sent the STARTTLS command.
Email Security appliance sent the STARTTLS command.
Managing Lists of Certificate Authorities
The appliance uses stored trusted certificate authorities that it uses to verify a certificate from a remote
domain to establish the domain’s credentials. You can configure the appliance to use the following
trusted certificate authorities:
domain to establish the domain’s credentials. You can configure the appliance to use the following
trusted certificate authorities:
•
Pre-installed list. The appliance has a pre-installed list of trusted certificate authorities. This is
called the system list.
called the system list.
•
User-defined list. You can customize a list of trusted certificate authorities and then import the list
onto the appliance.
onto the appliance.
You can use either the system list or the customized list, and you can also use both lists to verify
certificate from a remote domain.
certificate from a remote domain.
Manage the lists using the Network > Certificates > Edit Certificate Authorities page in the GUI or the
certconfig > certauthority
command in the CLI.