Cisco Cisco Email Security Appliance C160 Mode D'Emploi
1-22
Cisco IronPort AsyncOS 7.6 for Email Advanced Configuration Guide
OL-25137-01
Chapter 1 Customizing Listeners
Encrypting SMTP Conversations Using TLS
Enterprise Gateways (or Message Transfer Agents, i.e. MTAs) normally communicate “in the clear” over
the Internet. That is, the communications are not encrypted. In several scenarios, malicious agents can
intercept this communication without the knowledge of the sender or the receiver. Communications can
be monitored and even altered by a third party.
the Internet. That is, the communications are not encrypted. In several scenarios, malicious agents can
intercept this communication without the knowledge of the sender or the receiver. Communications can
be monitored and even altered by a third party.
Transport Layer Security (TLS) is an improved version of the Secure Socket Layer (SSL) technology. It
is a widely used mechanism for encrypting SMTP conversations over the Internet. AsyncOS supports the
STARTTLS extension to SMTP (Secure SMTP over TLS), described in RFC 3207 (which obsoletes RFC
2487).
is a widely used mechanism for encrypting SMTP conversations over the Internet. AsyncOS supports the
STARTTLS extension to SMTP (Secure SMTP over TLS), described in RFC 3207 (which obsoletes RFC
2487).
The TLS implementation in AsyncOS provides privacy through encryption. It allows you to import an
X.509 certificate and private key from a certificate authority service or create a self-signed certificate to
use on the appliance. AsyncOS supports separate TLS certificates for public and private listeners, secure
HTTP (HTTPS) management access on an interface, the LDAP interface, and all outgoing TLS
connections.
X.509 certificate and private key from a certificate authority service or create a self-signed certificate to
use on the appliance. AsyncOS supports separate TLS certificates for public and private listeners, secure
HTTP (HTTPS) management access on an interface, the LDAP interface, and all outgoing TLS
connections.
To successfully configure TLS on the Cisco IronPort appliance, follow these steps:
Step 1
Obtain certificates.
Step 2
Install certificates on the Cisco IronPort appliance.
Step 3
Enable TLS on the system for receiving, delivery, or both.
Obtaining Certificates
To use TLS, the Cisco IronPort appliance must have an X.509 certificate and matching private key for
receiving and delivery. You may use the same certificate for both SMTP receiving and delivery and
different certificates for HTTPS services on an interface, the LDAP interface, and all outgoing TLS
connections to destination domains, or use one certificate for all of them.
receiving and delivery. You may use the same certificate for both SMTP receiving and delivery and
different certificates for HTTPS services on an interface, the LDAP interface, and all outgoing TLS
connections to destination domains, or use one certificate for all of them.
You may purchase certificates and private keys from a recognized certificate authority service. A
certificate authority is a third-party organization or company that issues digital certificates used to verify
identity and distributes public keys. This provides an additional level of assurance that the certificate is
issued by a valid and trusted identity. Cisco IronPort does not recommend one service over another.
certificate authority is a third-party organization or company that issues digital certificates used to verify
identity and distributes public keys. This provides an additional level of assurance that the certificate is
issued by a valid and trusted identity. Cisco IronPort does not recommend one service over another.
The Cisco IronPort appliance can create a self-signed certificate for your own use and generate a
Certificate Signing Request (CSR) to submit to a certificate authority to obtain the public certificate. The
certificate authority will return a trusted public certificate signed by a private key. Use the Network >
Certificates page in the GUI or the
Certificate Signing Request (CSR) to submit to a certificate authority to obtain the public certificate. The
certificate authority will return a trusted public certificate signed by a private key. Use the Network >
Certificates page in the GUI or the
certconfig
command in the CLI to create the self-signed certificate,
generate the CSR, and install the trusted public certificate.
If you are acquiring or creating a certificate for the first time, search the Internet for “certificate authority
services SSL Server Certificates,” and choose the service that best meets the needs of your organization.
Follow the service’s instructions for obtaining a certificate.
services SSL Server Certificates,” and choose the service that best meets the needs of your organization.
Follow the service’s instructions for obtaining a certificate.
You can view the entire list of certificates on the Network > Certificates page in the GUI and in the CLI
by using the
by using the
print
command after you configure the certificates using
certconfig
. Note that the
print
command does not display intermediate certificates.