Cisco Cisco Email Security Appliance C160 Mode D'Emploi
20-10
Cisco AsyncOS 8.0.1 for Email User Guide
Chapter 20 Encrypting Communication with Other MTAs
Enabling TLS and Certificate Verification on Delivery
If there is no specific entry for a given recipient domain in the good neighbor table, or if there is a
specific entry but there is no specific TLS setting for the entry, then the behavior is whatever is set using
the Destination Controls page or the
specific entry but there is no specific TLS setting for the entry, then the behavior is whatever is set using
the Destination Controls page or the
destconfig -> default
subcommand (“No,” “Preferred,”
“Required,” “Preferred (Verify),” or “Required (Verify)”).
Sending Alerts When a Required TLS Connection Fails
You can specify whether the Cisco appliance sends an alert if the TLS negotiation fails when delivering
messages to a domain that requires a TLS connection. The alert message contains name of the destination
domain for the failed TLS negotiation. The Cisco appliance sends the alert message to all recipients set
to receive Warning severity level alerts for System alert types. You can manage alert recipients via the
System Administration > Alerts page in the GUI (or via the
messages to a domain that requires a TLS connection. The alert message contains name of the destination
domain for the failed TLS negotiation. The Cisco appliance sends the alert message to all recipients set
to receive Warning severity level alerts for System alert types. You can manage alert recipients via the
System Administration > Alerts page in the GUI (or via the
alertconfig
command in the CLI).
2. Preferred
TLS is negotiated from the Cisco appliance interface to the MTA(s) for the
domain. However, if the TLS negotiation fails (prior to receiving a 220
response), the SMTP transaction will continue “in the clear” (not encrypted). No
attempt is made to verify if the certificate originates from a trusted certificate
authority. If an error occurs after the 220 response is received the SMTP
transaction does not fall back to clear text.
domain. However, if the TLS negotiation fails (prior to receiving a 220
response), the SMTP transaction will continue “in the clear” (not encrypted). No
attempt is made to verify if the certificate originates from a trusted certificate
authority. If an error occurs after the 220 response is received the SMTP
transaction does not fall back to clear text.
3. Required
TLS is negotiated from the Cisco appliance interface to MTA(s) for the domain.
No attempt is made to verify the domain’s certificate. If the negotiation fails, no
email is sent through the connection. If the negotiation succeeds, the mail is
delivered via an encrypted session.
No attempt is made to verify the domain’s certificate. If the negotiation fails, no
email is sent through the connection. If the negotiation succeeds, the mail is
delivered via an encrypted session.
4. Preferred (Verify)
TLS is negotiated from the Cisco appliance to the MTA(s) for the domain. The
appliance attempts to verify the domain’s certificate.
appliance attempts to verify the domain’s certificate.
Three outcomes are possible:
•
TLS is negotiated and the certificate is verified. The mail is delivered via an
encrypted session.
encrypted session.
•
TLS is negotiated, but the certificate is not verified. The mail is delivered
via an encrypted session.
via an encrypted session.
•
No TLS connection is made and, subsequently the certificate is not verified.
The email message is delivered in plain text.
The email message is delivered in plain text.
5. Required (Verify)
TLS is negotiated from the Cisco appliance to the MTA(s) for the domain.
Verification of the domain’s certificate is required.
Verification of the domain’s certificate is required.
Three outcomes are possible:
•
A TLS connection is negotiated and the certificate is verified. The email
message is delivered via an encrypted session.
message is delivered via an encrypted session.
•
A TLS connection is negotiated but the certificate is not verified by a trusted
CA. The mail is not delivered.
CA. The mail is not delivered.
•
A TLS connection is not negotiated. The mail is not delivered.
Table 20-3
TLS Settings for Delivery
TLS Setting
Meaning