Cisco Cisco Email Security Appliance X1070 White Paper
© 2016 Cisco and/or its affiliates. All rights reserved.
3
Preface
This document is for Cisco customers, Cisco channel partners and
Cisco Engineers setting up secure communications via email using TLS.
Transport Layer Security or TLS is one of the ways to achieve this. In
this document we will focus only on TLS.
TLS is a security feature that does not require an additional license.
In this guide, you will learn how to send encrypted messages securely
via email that only the intended recipient of that message can decrypt or
decode.
Note:
Cisco Email Security includes the following deployment options:
•
Cloud Email Security (CES)
•
Email Security Virtual Appliance (ESAV)
•
Email Security Appliance (ESA)
TLS can be implemented in any of these deployment options using the
same configuration steps.
Introduction
This document covers the following:
•
What is TLS – basic definition?
•
What is needed to enable TLS on Cisco Email Security?
•
How to setup SSL certificates on Cisco Email Security for TLS
encryption
•
How to enable TLS for incoming emails (receiving)
•
How to enable TLS for incoming emails (receiving) from specific
domains or users@specificdomain
•
How to enable TLS for outbound emails (delivery)
•
How to enable TLS for outbound emails (delivery) for specific partner
domains
•
How to determine if Cisco Email Security is using TLS for delivery or
receiving
•
The Performance Impact of TLS Encryption
Technical Details
What is TLS – basic definition?
As defined in RFC 3207, “TLS is an extension to the SMTP service
that allows an SMTP server and client to use transport-layer security to
provide private, authenticated communication over the Internet. TLS is
a popular mechanism for enhancing TCP communications with privacy
and authentication.” The STARTTLS implementation on Cisco Email
Security provides privacy through encryption. It allows you to import a
X.509 certificate and private key from a certificate authority service, or
use a self-signed certificate.
What is needed to enable TLS on Cisco Email Security?
1. Certificates – obtain a Third Party SSL certificate from your preferred
Certificate Authority
2. Installation of certificates on Cisco Email Security
3. Enable TLS on the system for receiving, delivery, or both
3. Enable TLS on the system for receiving, delivery, or both
Note:
Cisco Email Security includes a demonstration certificate
for testing purposes. The demo certificate is not secure and is not
recommended for general use.
Cisco Email Security Certificate Installation Requirements
You must have these items available in Privacy Enhanced Mail (PEM)
format in order to install a certificate on the Cisco Email Security:
•
The X.509 certificate
•
The private key that matches your certificate
•
Any intermediate certificates that are provided by your Certificate
Authority (CA)
Cisco Email Security Services that Require Certificates
Certificates can be used for these four services:
•
Inbound Transport Layer Security (TLS)
How-To Secure Communications -
Setting Up Transport Layer Security (TLS)
Cisco Public