Cisco Cisco Email Security Appliance X1050 Guía Del Usuario
1-31
Cisco IronPort AsyncOS 7.6 for Email Advanced Configuration Guide
OL-25137-01
Chapter 1 Customizing Listeners
If there is no specific entry for a given recipient domain in the good neighbor table, or if there is a
specific entry but there is no specific TLS setting for the entry, then the behavior is whatever is set using
the Destination Controls page or the
specific entry but there is no specific TLS setting for the entry, then the behavior is whatever is set using
the Destination Controls page or the
destconfig -> default
subcommand (“No,” “Preferred,”
“Required,” “Preferred (Verify),” or “Required (Verify)”).
Sending Alerts When a Required TLS Connection Fails
You can specify whether the Cisco IronPort appliance sends an alert if the TLS negotiation fails when
delivering messages to a domain that requires a TLS connection. The alert message contains name of the
destination domain for the failed TLS negotiation. The Cisco IronPort appliance sends the alert message
to all recipients set to receive Warning severity level alerts for System alert types. You can manage alert
recipients via the System Administration > Alerts page in the GUI (or via the
delivering messages to a domain that requires a TLS connection. The alert message contains name of the
destination domain for the failed TLS negotiation. The Cisco IronPort appliance sends the alert message
to all recipients set to receive Warning severity level alerts for System alert types. You can manage alert
recipients via the System Administration > Alerts page in the GUI (or via the
alertconfig
command in
the CLI).
To enable TLS connection alerts, click Edit Global Settings on the Destination Controls page or
destconfig -> setup
subcommand. This is a global setting, not a per-domain setting. For information
on the messages that the appliance attempted to deliver, use the Monitor > Message Tracking page or the
mail logs.
mail logs.
Logging
The Cisco IronPort appliance will note in the mail logs instances when TLS is required for a domain but
could not be used. Information on why the TLS connection could not be used will be included. The mail
logs will be updated when any of the following conditions are met:
could not be used. Information on why the TLS connection could not be used will be included. The mail
logs will be updated when any of the following conditions are met:
4. Preferred (Verify)
TLS is negotiated from the Cisco IronPort appliance to the MTA(s) for the
domain. The appliance attempts to verify the domain’s certificate.
domain. The appliance attempts to verify the domain’s certificate.
Three outcomes are possible:
•
TLS is negotiated and the certificate is verified. The mail is delivered via an
encrypted session.
encrypted session.
•
TLS is negotiated, but the certificate is not verified. The mail is delivered
via an encrypted session.
via an encrypted session.
•
No TLS connection is made and, subsequently the certificate is not verified.
The email message is delivered in plain text.
The email message is delivered in plain text.
5. Required (Verify)
TLS is negotiated from the Cisco IronPort appliance to the MTA(s) for the
domain. Verification of the domain’s certificate is required.
domain. Verification of the domain’s certificate is required.
Three outcomes are possible:
•
A TLS connection is negotiated and the certificate is verified. The email
message is delivered via an encrypted session.
message is delivered via an encrypted session.
•
A TLS connection is negotiated but the certificate is not verified by a trusted
CA. The mail is not delivered.
CA. The mail is not delivered.
•
A TLS connection is not negotiated. The mail is not delivered.
Table 1-7
TLS Settings for Delivery
TLS Setting
Meaning