Cisco Cisco Email Security Appliance C160 用户指南
Chapter 1 Customizing Listeners
1-44
Cisco IronPort AsyncOS 7.1 for Email Advanced Configuration Guide
OL-22164-02
You can specify a certificate for the appliance to use for all outgoing TLS
connections. To specify the certificate, click Edit Global Settings on the
Destination Controls page or use
connections. To specify the certificate, click Edit Global Settings on the
Destination Controls page or use
destconfig -> setup
in the CLI. The certificate
is a global setting, not a per-domain setting.
You can specify 5 different settings for TLS for a given domain when you include
a domain using the Destination Controls page or the
a domain using the Destination Controls page or the
destconfig
command. In
addition to specifying whether exchanges with a domain are required or preferred
to be TLS encoded, you can dictate whether validation of the domain is necessary.
See
to be TLS encoded, you can dictate whether validation of the domain is necessary.
See
for an explanation of the settings.
Table 1-7
TLS Settings for Delivery
TLS Setting
Meaning
Default
The default TLS setting set using the Destination Controls
page or the
page or the
destconfig -> default
subcommand used for
outgoing connections from the listener to the MTA for the
domain.
domain.
The value “Default” is set if you answer “no” to the question:
“Do you wish to apply a specific TLS setting for this domain?”
“Do you wish to apply a specific TLS setting for this domain?”
1. No
TLS is not negotiated for outgoing connections from the
interface to the MTA for the domain.
interface to the MTA for the domain.
2. Preferred
TLS is negotiated from the IronPort appliance interface to the
MTA(s) for the domain. However, if the TLS negotiation fails
(prior to receiving a 220 response), the SMTP transaction will
continue “in the clear” (not encrypted). No attempt is made to
verify if the certificate originates from a trusted certificate
authority. If an error occurs after the 220 response is received
the SMTP transaction does not fall back to clear text.
MTA(s) for the domain. However, if the TLS negotiation fails
(prior to receiving a 220 response), the SMTP transaction will
continue “in the clear” (not encrypted). No attempt is made to
verify if the certificate originates from a trusted certificate
authority. If an error occurs after the 220 response is received
the SMTP transaction does not fall back to clear text.
3. Required
TLS is negotiated from the IronPort appliance interface to
MTA(s) for the domain. No attempt is made to verify the
domain’s certificate. If the negotiation fails, no email is sent
through the connection. If the negotiation succeeds, the mail is
delivered via an encrypted session.
MTA(s) for the domain. No attempt is made to verify the
domain’s certificate. If the negotiation fails, no email is sent
through the connection. If the negotiation succeeds, the mail is
delivered via an encrypted session.