Cisco Cisco Email Security Appliance C370 Libro bianco
© 2016 Cisco and/or its affiliates. All rights reserved.
10
TLS Setting
Meaning
4. Preferred
(Verify)
TLS is negotiated from the ESA to the MTA(s) for the
domain. The appliance attempts to verify the certificate
of the domain. Three outcomes are possible:
•
TLS is negotiated and the certificate is verified. The
mail is delivered via an encrypted session.
mail is delivered via an encrypted session.
•
TLS is negotiated, but the certificate is not verified.
The mail is delivered via an encrypted session.
The mail is delivered via an encrypted session.
•
No TLS connection is made and, subsequently the
certificate is not verified. The email message is
delivered in plain text.
certificate is not verified. The email message is
delivered in plain text.
5. Required
(Verify)
TLS is negotiated from the ESA to the MTA(s) for
the domain. Verification of the domain certificate is
required. Three outcomes are possible:
•
A TLS connection is negotiated and the certificate
is verified. The email message is delivered via an
encrypted session.
is verified. The email message is delivered via an
encrypted session.
•
A TLS connection is negotiated, but the certificate
is not verified by a trusted Certificate Authority
(CA). The mail is not delivered.
is not verified by a trusted Certificate Authority
(CA). The mail is not delivered.
•
A TLS connection is not negotiated. The mail is not
delivered.
delivered.
Attempt TLS for all outbound communications
In this example, we set TLS so that all outbound email connections will
at least attempt TLS, if TLS is not achieved the email will be sent as
clear text.
1. Enable TLS on the Default Domain destination control: Mail Policies
-> Destination Controls -> Default Destination Controls
I chose “Preferred” since this is the global default I don’t want to be
overly strict. It will attempt TLS and will not attempt to verify the other
party’s certificate validity.
How to Determine If Cisco Email Security Is Using TLS for
Delivery or Receiving
TLS connections are recorded in the mail logs along with other
significant actions related to messages such as filter actions, anti-virus
and anti-spam verdicts, and delivery attempts. If there is a successful
TLS connection, there will be a “TLS success” entry in the mail logs.
Likewise, a failed TLS connection will produce a “TLS failed” entry. If
a message does not have an associated TLS entry in the log file, that
message was not delivered over a TLS connection.
Below are examples of successful and failed TLS connections. You are
able to see the log entries from review of message tracking on the GUI,
or using
grep to parse the mail logs on the CLI. Please review the
article for further assistance.
How-To Secure Communications -
Setting Up Transport Layer Security (TLS)
Cisco Public