Cisco Cisco Email Security Appliance X1070 Mode D'Emploi
20-6
Cisco AsyncOS 8.0.2 for Email User Guide
Chapter 20 Encrypting Communication with Other MTAs
Enabling TLS on a Listener’s HAT
Step 4
Enter the file name for the certificate.
Step 5
Enter a password for the certificate file.
Step 6
Click Export.
Step 7
Save the file to a local or network machine.
Step 8
You can export additional certificates or click Cancel to return to the Network > Certificates page.
Enabling TLS on a Listener’s HAT
You must enable TLS for any listeners where you require encryption. You may want to enable TLS on
listeners facing the Internet (that is, public listeners), but not for listeners for internal systems (that is,
private listeners). Or, you may want to enable encryption for all listeners.
listeners facing the Internet (that is, public listeners), but not for listeners for internal systems (that is,
private listeners). Or, you may want to enable encryption for all listeners.
You can specify the following settings for TLS on a listener.
By default, neither private nor public listeners allow TLS connections. You must enable TLS in a
listener’s HAT to enable TLS for either inbound (receiving) or outbound (sending) email. In addition, all
default mail flow policy settings for private and public listeners have the
listener’s HAT to enable TLS for either inbound (receiving) or outbound (sending) email. In addition, all
default mail flow policy settings for private and public listeners have the
tls
setting set to “off.”
You can assign a specific certificate for TLS connections to individual public listeners when creating a
listener. For more information, see
listener. For more information, see
.
Assigning a Certificate to a Public or Private Listener for TLS Connections
Using the GUI
Using the GUI
Procedure
Step 1
Navigate to the Network > Listeners page.
Step 2
Click the name of the Listener to edit.
Step 3
In the Certificate field, choose a certificate.
Table 20-2
TLS Settings for a Listener
TLS Setting
Meaning
1. No
TLS is not allowed for incoming connections. No connections to the listener
will require encrypted SMTP conversations. This is the default setting for all
listeners you configure on the appliance.
will require encrypted SMTP conversations. This is the default setting for all
listeners you configure on the appliance.
2. Preferred
TLS is allowed for incoming connections to the listener from MTAs.
3. Required
TLS is allowed for incoming connections to the listener from MTAs, and until
a
a
STARTTLS
command is received, the Cisco appliance responds with an error
message to every command other than
NOOP
,
EHLO
, or
QUIT
. This behavior is
specified by RFC 3207, which defines the SMTP Service Extension for Secure
SMTP over Transport Layer Security. “Requiring” TLS means that email which
the sender is not willing to encrypt with TLS will be refused by the Cisco
appliance before it is sent, thereby preventing it from be transmitted in the clear.
SMTP over Transport Layer Security. “Requiring” TLS means that email which
the sender is not willing to encrypt with TLS will be refused by the Cisco
appliance before it is sent, thereby preventing it from be transmitted in the clear.