Cisco Cisco Email Security Appliance C170 Guia Do Utilizador
23-5
Cisco AsyncOS 8.0.2 for Email User Guide
Chapter 23 Authenticating SMTP Sessions Using Client Certificates
Establishing a TLS Connection from the Appliance
Procedure
Step 1
Select Network > SMTP Authentication.
Step 2
Click Add Profile.
Step 3
Enter the name for the SMTP authentication profile.
Step 4
Select Certificate for the Profile Type.
Step 5
Click Next.
Step 6
Enter the profile name.
Step 7
Select the certificate LDAP query you want to use with this SMTP authentication profile.
Note
Do not select the option to allow the SMTP AUTH command if a client certificate is not
available.
available.
Step 8
Click Finish.
Step 9
Submit and commit your changes.
Establishing a TLS Connection from the Appliance
The Verify Client Certificate option in the RELAYED mail flow policy directs the Email Security
appliance to establish a TLS connection to the user’s mail application if the client certificate is valid. If
you select this option for the TLS Preferred setting, the appliance still allows a non-TLS connection if
the user doesn’t have a certificate, but rejects a connection if the user has an invalid certificate. For the
TLS Required setting, selecting this option requires the user to have a valid certificate in order for the
appliance to allow the connection.
appliance to establish a TLS connection to the user’s mail application if the client certificate is valid. If
you select this option for the TLS Preferred setting, the appliance still allows a non-TLS connection if
the user doesn’t have a certificate, but rejects a connection if the user has an invalid certificate. For the
TLS Required setting, selecting this option requires the user to have a valid certificate in order for the
appliance to allow the connection.
To authenticate a user’s SMTP session with a client certificate, select the following settings:
•
TLS - Required
•
Verify Client Certificate
•
Require SMTP Authentication
Note
Although SMTP authentication is required, the Email Security appliance will not use the SMTP
authentication LDAP query because it is using certificate authentication.
authentication LDAP query because it is using certificate authentication.
To authenticate a user’s SMTP session using the SMTP authentication query instead of a client
certificate, select the following settings for the RELAYED mail flow policy:
certificate, select the following settings for the RELAYED mail flow policy:
•
TLS - Required
•
Require SMTP Authentication
If you require the Email Security appliance to ask for a client certificate from certain users while
allowing LDAP-based SMTP authentication from others, select the following settings for the RELAYED
mail flow policy:
allowing LDAP-based SMTP authentication from others, select the following settings for the RELAYED
mail flow policy:
•
TLS - Preferred