Cisco Cisco Email Security Appliance C160 Mode D'Emploi

Navigate to the Mail Policies Destination Controls page.

Click Edit Global Settings. 

Click Enable for “Send an alert when a required TLS connection fails.”

This is a global setting, not a per-domain setting. For information on the messages that the appliance 
attempted to deliver, use the Monitor > Message Tracking page or the mail logs.

Submit and commit your changes.

You can also configure this in the command-line interface using the destconfig -> setup command to enable 
TLS connection alerts using the CLI

The Email Security appliance will note in the mail logs instances when TLS is required for a domain but 
could not be used. Information on why the TLS connection could not be used will be included. The mail 
logs will be updated when any of the following conditions are met:

The remote MTA does not support ESMTP (for example, it did not understand the EHLO command 
from the Email Security appliance). 

The remote MTA supports ESMTP but “STARTTLS” was not in the list of extensions it advertised 
in its EHLO response. 

The remote MTA advertised the “STARTTLS” extension but responded with an error when the 
Email Security appliance sent the STARTTLS command. 

The appliance uses stored trusted certificate authorities that it uses to verify a certificate from a remote 
domain to establish the domain’s credentials. You can configure the appliance to use the following 
trusted certificate authorities:

Pre-installed list. The appliance has a pre-installed list of trusted certificate authorities. This is 
called the system list.

User-defined list. You can customize a list of trusted certificate authorities and then import the list 
onto the appliance.

You can use either the system list or the customized list, and you can also use both lists to verify 
certificate from a remote domain.

Manage the lists using the Network > Certificates > Edit Certificate Authorities page in the GUI or the 

certconfig > certauthority

 command in the CLI.