Cisco Cisco Email Security Appliance C160 Mode D'Emploi

You can specify whether the IronPort appliance sends an alert if the TLS 
negotiation fails when delivering messages to a domain that requires a TLS 
connection. The alert message contains name of the destination domain for the 
failed TLS negotiation. The IronPort appliance sends the alert message to all 
recipients set to receive Warning severity level alerts for System alert types. You 
can manage alert recipients via the System Administration > Alerts page in the 
GUI (or via the 

alertconfig

 command in the CLI).

To enable TLS connection alerts, click Edit Global Settings on the Destination 
Controls page or 

destconfig -> setup

 subcommand. This is a global setting, not 

a per-domain setting. For information on the messages that the appliance 
attempted to deliver, use the Monitor > Message Tracking page or the mail logs.

The IronPort appliance will note in the mail logs instances when TLS is required 
for a domain but could not be used. Information on why the TLS connection could 
not be used will be included. The mail logs will be updated when any of the 
following conditions are met:

The remote MTA does not support ESMTP (for example, it did not 
understand the EHLO command from the IronPort appliance). 

The remote MTA supports ESMTP but “STARTTLS” was not in the list of 
extensions it advertised in its EHLO response. 

The remote MTA advertised the “STARTTLS” extension but responded with 
an error when the IronPort appliance sent the STARTTLS command. 

In this example, the 

destconfig

 command is used to require TLS connections and 

encrypted conversations for the domain “partner.com.” The list is then printed.