Cisco Cisco Email Security Appliance C160 Guía Del Usuario
1-27
Cisco IronPort AsyncOS 7.6 for Email Advanced Configuration Guide
OL-25137-01
Chapter 1 Customizing Listeners
Enabling TLS on a Listener’s HAT
You must enable TLS for any listeners where you require encryption. You may want to enable TLS on
listeners facing the Internet (that is, public listeners), but not for listeners for internal systems (that is,
private listeners). Or, you may want to enable encryption for all listeners.
listeners facing the Internet (that is, public listeners), but not for listeners for internal systems (that is,
private listeners). Or, you may want to enable encryption for all listeners.
You can specify 3 different settings for TLS on a listener. See Table 3-19.
By default, neither private nor public listeners allow TLS connections. You must enable TLS in a
listener’s HAT to enable TLS for either inbound (receiving) or outbound (sending) email. In addition, all
default mail flow policy settings for private and public listeners have the
listener’s HAT to enable TLS for either inbound (receiving) or outbound (sending) email. In addition, all
default mail flow policy settings for private and public listeners have the
tls
setting set to “off.”
You can assign a specific certificate for TLS connections to individual public listeners when creating a
listener. For more information, see
listener. For more information, see
Assigning a Certificate
You can assign a certificate to an individual public or private listener for TLS connections using either
the Network > Listeners page or the
the Network > Listeners page or the
listenerconfig -> edit -> certificate
command in the CLI.
To assign a TLS certificate via the GUI, select the certificate you want in the Certificate section when
creating or editing a listener and then submit and commit your changes.
creating or editing a listener and then submit and commit your changes.
Figure 1-18
Selecting a Certificate for a Listener
To assign a certificate to a listener via the CLI, follow these steps:
Step 1
Use the
listenerconfig -> edit
command to choose a listener you want to configure.
Step 2
Use the
certificate
command to see the available certificates.
Step 3
Choose the certificate you want to assign to the listener when prompted.
Step 4
When you are finished configuring the listener, issue the
commit
command to enable the change.
Table 1-6
TLS Settings for a Listener
TLS Setting
Meaning
1. No
TLS is not allowed for incoming connections. No connections to the listener
will require encrypted SMTP conversations. This is the default setting for all
listeners you configure on the appliance.
will require encrypted SMTP conversations. This is the default setting for all
listeners you configure on the appliance.
2. Preferred
TLS is allowed for incoming connections to the listener from MTAs.
3. Required
TLS is allowed for incoming connections to the listener from MTAs, and until
a
a
STARTTLS
command is received, the Cisco IronPort appliance responds with
an error message to every command other than
NOOP
,
EHLO
, or
QUIT
. This
behavior is specified by RFC 3207, which defines the SMTP Service Extension
for Secure SMTP over Transport Layer Security. “Requiring” TLS means that
email which the sender is not willing to encrypt with TLS will be refused by the
Cisco IronPort appliance before it is sent, thereby preventing it from be
transmitted in the clear.
for Secure SMTP over Transport Layer Security. “Requiring” TLS means that
email which the sender is not willing to encrypt with TLS will be refused by the
Cisco IronPort appliance before it is sent, thereby preventing it from be
transmitted in the clear.