Cisco Cisco Email Security Appliance C170 Guida Utente
1-30
Cisco IronPort AsyncOS 7.6 for Email Advanced Configuration Guide
OL-25137-01
Chapter 1 Customizing Listeners
A trusted CA is a third-party organization or company that issues digital certificates used to verify
identity and distributes public keys. This provides an additional level of assurance that the certificate is
issued by a valid and trusted identity.
identity and distributes public keys. This provides an additional level of assurance that the certificate is
issued by a valid and trusted identity.
You can configure your Cisco IronPort appliance to send messages to a domain over a TLS connection
as an alternative to envelope encryption. See the “Cisco IronPort Email Encryption” chapter in the Cisco
IronPort AsyncOS for Email Configuration Guide for more information.
as an alternative to envelope encryption. See the “Cisco IronPort Email Encryption” chapter in the Cisco
IronPort AsyncOS for Email Configuration Guide for more information.
You can specify a certificate for the appliance to use for all outgoing TLS connections. To specify the
certificate, click Edit Global Settings on the Destination Controls page or use
certificate, click Edit Global Settings on the Destination Controls page or use
destconfig -> setup
in
the CLI. The certificate is a global setting, not a per-domain setting.
You can specify 5 different settings for TLS for a given domain when you include a domain using the
Destination Controls page or the
Destination Controls page or the
destconfig
command. In addition to specifying whether exchanges
with a domain are required or preferred to be TLS encoded, you can dictate whether validation of the
domain is necessary. See
domain is necessary. See
for an explanation of the settings.
Table 1-7
TLS Settings for Delivery
TLS Setting
Meaning
Default
The default TLS setting set using the Destination Controls page or the
destconfig -> default
subcommand used for outgoing connections from the
listener to the MTA for the domain.
The value “Default” is set if you answer “no” to the question: “Do you wish to
apply a specific TLS setting for this domain?”
apply a specific TLS setting for this domain?”
1. No
TLS is not negotiated for outgoing connections from the interface to the MTA
for the domain.
for the domain.
2. Preferred
TLS is negotiated from the Cisco IronPort appliance interface to the MTA(s) for
the domain. However, if the TLS negotiation fails (prior to receiving a 220
response), the SMTP transaction will continue “in the clear” (not encrypted). No
attempt is made to verify if the certificate originates from a trusted certificate
authority. If an error occurs after the 220 response is received the SMTP
transaction does not fall back to clear text.
the domain. However, if the TLS negotiation fails (prior to receiving a 220
response), the SMTP transaction will continue “in the clear” (not encrypted). No
attempt is made to verify if the certificate originates from a trusted certificate
authority. If an error occurs after the 220 response is received the SMTP
transaction does not fall back to clear text.
3. Required
TLS is negotiated from the Cisco IronPort appliance interface to MTA(s) for the
domain. No attempt is made to verify the domain’s certificate. If the negotiation
fails, no email is sent through the connection. If the negotiation succeeds, the
mail is delivered via an encrypted session.
domain. No attempt is made to verify the domain’s certificate. If the negotiation
fails, no email is sent through the connection. If the negotiation succeeds, the
mail is delivered via an encrypted session.