Cisco Cisco Email Security Appliance C160 Mode D'Emploi

You can specify a certificate for the appliance to use for all outgoing TLS 
connections. To specify the certificate, click Edit Global Settings on the 
Destination Controls page or use 

destconfig -> setup

 in the CLI. The certificate 

is a global setting, not a per-domain setting.

You can specify 5 different settings for TLS for a given domain when you include 
a domain using the Destination Controls page or the 

destconfig

 command. In 

addition to specifying whether exchanges with a domain are required or preferred 
to be TLS encoded, you can dictate whether validation of the domain is necessary. 
See 

 for an explanation of the settings.

The default TLS setting set using the Destination Controls 
page or the 

destconfig -> default

 subcommand used for 

outgoing connections from the listener to the MTA for the 
domain. 

The value “Default” is set if you answer “no” to the question: 
“Do you wish to apply a specific TLS setting for this domain?”

TLS is not negotiated for outgoing connections from the 
interface to the MTA for the domain. 

TLS is negotiated from the IronPort appliance interface to the 
MTA(s) for the domain. However, if the TLS negotiation fails 
(prior to receiving a 220 response), the SMTP transaction will 
continue “in the clear” (not encrypted). No attempt is made to 
verify if the certificate originates from a trusted certificate 
authority. If an error occurs after the 220 response is received 
the SMTP transaction does not fall back to clear text.

TLS is negotiated from the IronPort appliance interface to 
MTA(s) for the domain. No attempt is made to verify the 
domain’s certificate. If the negotiation fails, no email is sent 
through the connection. If the negotiation succeeds, the mail is 
delivered via an encrypted session.