Cisco Cisco Email Security Appliance C160 ユーザーガイド

You can specify a certificate for the appliance to use for all outgoing TLS connections. To specify the 
certificate, click Edit Global Settings on the Destination Controls page or use 

destconfig -> setup

 in 

the CLI. The certificate is a global setting, not a per-domain setting.

You can specify 5 different settings for TLS for a given domain when you include a domain using the 
Destination Controls page or the 

destconfig

 command. In addition to specifying whether exchanges 

with a domain are required or preferred to be TLS encoded, you can dictate whether validation of the 
domain is necessary. See 

 for an explanation of the settings.

The default TLS setting set using the Destination Controls page or the 

destconfig -> default

 subcommand used for outgoing connections from the 

listener to the MTA for the domain. 

The value “Default” is set if you answer “no” to the question: “Do you wish to 
apply a specific TLS setting for this domain?”

TLS is not negotiated for outgoing connections from the interface to the MTA 
for the domain. 

TLS is negotiated from the Email Security appliance interface to the MTA(s) for 
the domain. However, if the TLS negotiation fails (prior to receiving a 220 
response), the SMTP transaction will continue “in the clear” (not encrypted). No 
attempt is made to verify if the certificate originates from a trusted certificate 
authority. If an error occurs after the 220 response is received the SMTP 
transaction does not fall back to clear text.

TLS is negotiated from the Email Security appliance interface to MTA(s) for the 
domain. No attempt is made to verify the domain’s certificate. If the negotiation 
fails, no email is sent through the connection. If the negotiation succeeds, the 
mail is delivered via an encrypted session.