Cisco Cisco Email Security Appliance X1050 Guide D’Information
Contents
Introduction
What is the algorithm for certificate verification on the Cisco Email Security Appliance (ESA)?
Background Information
Definitions
Hosted Verify Algorithm
Verify Algorithm
Introduction
When using TLS to deliver email via a Cisco Email Security Appliance (ESA) you can choose to
perform certificate verification using either the 'Verify' or 'Hosted Verify' options. This is a crucial
part of securing the delivery of emails over TLS, and it is important to know how this verification is
performed.
perform certificate verification using either the 'Verify' or 'Hosted Verify' options. This is a crucial
part of securing the delivery of emails over TLS, and it is important to know how this verification is
performed.
What is the algorithm for certificate verification on the Cisco
Email Security Appliance (ESA)?
Email Security Appliance (ESA)?
There are actually two algorithms, one for the 'Verify' option, and the other for the 'Hosted Verify'
option. Typically the 'Hosted Verify' option is recommended as it is compatible with a larger
variety of scenarios.
option. Typically the 'Hosted Verify' option is recommended as it is compatible with a larger
variety of scenarios.
Background Information
This documentation is based on AsyncOS 8.0.1 and later versions. Prior versions of
AsyncOS may have somewhat different behavior.
AsyncOS may have somewhat different behavior.
●
Unless otherwise specified, wildcard matches are supported
●
Each algorithm stops after a successful match and subsequent checks are not evaluated
●
The CLI command tlsverify uses the 'Verify Algorithm'
●
Definitions
CN: This is the Common Name, part of the certificate's subject
●
SAN: This is the Subject Alternate Name extension to X.509. When used in this document,
we're specifically referring to any DNS names included in the SAN field.
we're specifically referring to any DNS names included in the SAN field.
●
Email Domain: This is the domain portion of the recipient's email address. For example, when
delivering to 'user@example.com', the email domain is 'example.com'
delivering to 'user@example.com', the email domain is 'example.com'
●
MX Hostnames: These are the hostnames of the email domain's MX records
●
PTR Hostname: This is the hostname returned by a DNS PTR lookup of the IP address the
ESA is connecting to
ESA is connecting to
●
SMTP Route Hostnames: If an SMTP route is configured for this destination, this is the
hostname used in the SMTP route
hostname used in the SMTP route
●