TLS Configuration Frequently Asked Questions for ESA

Available Languages

Updated:July 24, 2015
Document ID:200038

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Introduction

This document describes frequently asked questions about the configuration of Transport Layer Security (TLS) on the Email Security Appliance (ESA).

What is TLS?

As defined in RFC 3207, "TLS is an extension to the SMTP service that allows an SMTP server and client to use transport-layer security to provide private, authenticated communication over the Internet. TLS is a popular mechanism for enhancing TCP communications with privacy and authentication." The STARTTLS implementation on the ESA provides privacy through encryption. It allows you to import an X.509 certificate and private key from a certificate authority service, or use a self-signed certificate.

What is required to enable TLS on the ESA?


The following steps are necessary to enable TLS:

  1. Obtain certificates
  2. Install certificates on ESA
  3. Enable TLS on the system for receiving, delivery, or both

Note: The ESA includes a demonstration certificate for testing purposes. The demo certificate is not secure and is not recommended for general use.

For more information refer to ESA Certificate Installation Requirements.

How to enable TLS for receiving?

The following steps are necessary to require TLS from remote hosts communicating with your ESA public listener (Receiving). Enable TLS in the Host Access Table (HAT) of the listener that communicates with remote hosts:

    1. Go to GUI: Mail Policies > Mail Flow Policies
    2. Select the listener to which remote hosts will connect from the listener drop down menu on the Mail Flow Policies page.
    3. Enable TLS on one or more Mail Flow Policies by clicking the policy name and checking the Use TLS check box at the bottom of the Edit Policy page.

For more information, refer to How to enable TLS for inbound connection encryption on ESA listener?

How to enable TLS for delivery?

The following steps are necessary to enable TLS for delivery to hosts in remote domains.

  1. Go to GUI: Mail Policies > Destination Controls
  2. Add a new destination for the domain to which you will be using TLS
  3. Set concurrency limit, recipient limit, and bounce profile, or accept the default values.
  4. Apply a TLS setting for the domain (No, Preferred, or Required)

For more information, refer to How do I control TLS negotiation on delivery?

How can I determine if the ESA is using TLS?

The ESA mail logs contain entries for successful and failed TLS connections. You can use command line tools such as grep to search for specific log entries. You can also configure system alerts when TLS connections fail via the GUI: System Administration > Alerts page or the CLI alertconfig command.

For more information, refer to Determine if ESA is Using TLS for Delivery or Receiving

For more information see the Cisco AsyncOS for Email User Guide chapter Encrypting Communication with Other MTAs.

Related Information

Revision History

Revision Publish Date Comments
1.0
24-Jul-2015
Initial Release
TAC Authored

Contributed by Cisco Engineers

  • Nasir Shakour and Enrico Werner
    Cisco TAC Engineers.

Was this Document Helpful?

FeedbackFeedback

Contact Cisco

This Document Applies to These Products