Cisco Cisco Email Security Appliance C650 Guía Del Usuario
23-12
Cisco AsyncOS 9.1 for Email User Guide
Chapter 23 Encrypting Communication with Other MTAs
Enabling TLS and Certificate Verification on Delivery
Related Topics
•
•
Enabling TLS Connection Alerts Using the GUI
Procedure
Step 1
Navigate to the Mail Policies Destination Controls page.
Step 2
Click Edit Global Settings.
Step 3
Click Enable for “Send an alert when a required TLS connection fails.”
This is a global setting, not a per-domain setting. For information on the messages that the appliance
attempted to deliver, use the Monitor > Message Tracking page or the mail logs.
attempted to deliver, use the Monitor > Message Tracking page or the mail logs.
Step 4
Submit and commit your changes.
Enabling TLS Connection Alerts Using the CLI
To enable TLS connection alerts using the CLI, use the
destconfig -> setup
command.
Logging
The Email Security appliance will note in the mail logs instances when TLS is required for a domain but
could not be used. Information on why the TLS connection could not be used will be included. The mail
logs will be updated when any of the following conditions are met:
could not be used. Information on why the TLS connection could not be used will be included. The mail
logs will be updated when any of the following conditions are met:
•
The remote MTA does not support ESMTP (for example, it did not understand the EHLO command
from the Email Security appliance).
from the Email Security appliance).
•
The remote MTA supports ESMTP but “STARTTLS” was not in the list of extensions it advertised
in its EHLO response.
in its EHLO response.
•
The remote MTA advertised the “STARTTLS” extension but responded with an error when the
Email Security appliance sent the STARTTLS command.
Email Security appliance sent the STARTTLS command.
CLI Example
In this example, the
destconfig
command is used to require TLS connections and encrypted
conversations for the domain “partner.com.” The list is then printed.
A certificate for example.com is used for outgoing TLS connections instead of the demonstration
certificate that is pre-installed. You may enable TLS with the demonstration certificate for testing
purposes, but it is not secure and is not recommended for general use.
certificate that is pre-installed. You may enable TLS with the demonstration certificate for testing
purposes, but it is not secure and is not recommended for general use.
mail3.example.com> destconfig