Cisco Community
English
Register
Great changes are coming to Cisco Community in July. LEARN MORE
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Cisco Secure Email Support Community
Product Support Talos Support Cisco Support Reference + Current Release
Gateway Reputation Lookup Open a support case Secure Email Guided Setup
Gateway: 14.2.0-616
Cloud Gateway Email Status Portal Support & Downloads docs.ces.cisco.com
Email and Web Manager: 14.2.0-203
Email and Web Manager Web & Email Reputation Worldwide Contacts Product Naming Quick Reference
Reporting Plug-in: 1.1.0.136
Encryption Bug Search
Encryption Plug-in: 1.2.1.167
Cloud Mailbox Notification Service
Outlook Add-in(s): More info
907
Views
10
Helpful
5
Replies
RD77
Beginner
Beginner
‎01-03-2022 08:07 AM
‎01-03-2022 08:07 AM

About option "Verify Client Certificate" in Mail flow Policy

Hi,

Just want a clarification on the option "Verify Client certificate" under TLS / Preferred (or Required).

When I choose Prefered and Verify Client certificate, what is done is the background?

 

I understand that the ESA acts as a server when receiving a connection from a remote MTA (client), so it has nothing to verify the client certificate...

 

Does it mean that the ESA connects back to the remote MTA and check its "server" certificate?

And what is checked? Signed by Trusted CA, Date and CN?

Thanks for the help

 

Labels:
0 Helpful
1 ACCEPTED SOLUTION

Accepted Solutions
Ken Stieers
VIP Advocate VIP Advocate
VIP Advocate
In response to RD77
‎01-03-2022 11:05 AM
‎01-03-2022 11:05 AM

When users are using a mail client to connect to send mail to the ESA, you can make them send a cert you can verify. So Thunderbird or Outlook or whatever has to have a cert that's valid. Its not clear what valid means in this case, but probably matching the sender address.
>From the online help again:

Deny, Prefer, or Require Transport Layer Security (TLS) in SMTP conversations for this listener.

If you select Preferred, you can make TLS mandatory for envelope senders from a specific domain or with a specific email address by selecting an Address List that specifies those domains and email addresses. When an envelope sender matching a domain or address in this list tries to send a message over a connection that does not use TLS, the email gateway rejects the connection and the sender will have to try again using TLS.

The Verify Client Certificate option directs the email gateway to establish a TLS connection to the user's mail application if the client certificate is valid. If you select this option for the TLS Preferred setting, the email gateway still allows a non-TLS connection if the user doesn't have a certificate, but rejects a connection if the user has an invalid certificate. For the TLS Required setting, selecting this option requires the user to have a valid certificate in order for the email gateway to allow the connection.

View solution in original post

5 REPLIES 5
Ken Stieers
VIP Advocate VIP Advocate
VIP Advocate
‎01-03-2022 08:24 AM
‎01-03-2022 08:24 AM

(Assuming you're looking at Destination Controls) Yes. When they ESA connects to another MTA, and you have it set to *** - Verify, the ESA checks to make sure that the cert matches the system it connects to, that the cert is still valid, and that the trust chain is valid.
Taken from the online help (https:///help/esa_help/index.html#!c_enabling_tls_and_certificate_verification_on_delivery.html#con_1126500)
For Preferred (Verify)

TLS is negotiated from the email gateway to the MTA(s) for the domain. The email gateway attempts to verify the domain's certificate.

Three outcomes are possible:

* TLS is negotiated and the certificate is verified. The mail is delivered via an encrypted session.
* TLS is negotiated, but the certificate is not verified. The mail is delivered via an encrypted session.
* No TLS connection is made and, subsequently the certificate is not verified. The email message is delivered in plain text.
For Required (Verify)

TLS is negotiated from the email gateway to the MTA(s) for the domain. Verification of the domain certificate is required. The following outcomes are possible:

* A TLS connection is negotiated and the certificate is verified. The email message is delivered via an encrypted session.
* A TLS connection is negotiated, but the certificate is not verified by a trusted Cerfificate Authority (CA). The mail is not delivered.
* A TLS connection is not negotiated. The mail is not delivered.


0 Helpful
RD77
Beginner
Beginner
In response to Ken Stieers
‎01-03-2022 10:52 AM
‎01-03-2022 10:52 AM

Hi Ken,

Actually I was thinking off TLS settings in the Mail Flow Policy (not in destination controls).

You can choose, Prefered, Required and there is a "Verifiy Client certificate" option

But don't understand how it works in this situation since the ESA acts as a server in this case..

0 Helpful
Ken Stieers
VIP Advocate VIP Advocate
VIP Advocate
In response to RD77
‎01-03-2022 11:05 AM
‎01-03-2022 11:05 AM

When users are using a mail client to connect to send mail to the ESA, you can make them send a cert you can verify. So Thunderbird or Outlook or whatever has to have a cert that's valid. Its not clear what valid means in this case, but probably matching the sender address.
>From the online help again:

Deny, Prefer, or Require Transport Layer Security (TLS) in SMTP conversations for this listener.

If you select Preferred, you can make TLS mandatory for envelope senders from a specific domain or with a specific email address by selecting an Address List that specifies those domains and email addresses. When an envelope sender matching a domain or address in this list tries to send a message over a connection that does not use TLS, the email gateway rejects the connection and the sender will have to try again using TLS.

The Verify Client Certificate option directs the email gateway to establish a TLS connection to the user's mail application if the client certificate is valid. If you select this option for the TLS Preferred setting, the email gateway still allows a non-TLS connection if the user doesn't have a certificate, but rejects a connection if the user has an invalid certificate. For the TLS Required setting, selecting this option requires the user to have a valid certificate in order for the email gateway to allow the connection.

RD77
Beginner
Beginner
In response to Ken Stieers
‎01-03-2022 02:53 PM
‎01-03-2022 02:53 PM

So this means it is not possible to check the remote MTA certificate when it connects to the ESA?

0 Helpful
Ken Stieers
VIP Advocate VIP Advocate
VIP Advocate
In response to RD77
‎01-03-2022 03:12 PM
‎01-03-2022 03:12 PM

Think of a remote MTA connecting more like a browser connecting to a web server.

Your browser doesn't send a cert unless you're logging into a page, which is actually separate from the HTTPS conversion...

Latest Contents
Earn $100! Interview with Cisco on Network Risk, Compliance ...
Created by S Nath on 06-27-2022 01:56 PM
0
0
0
0
Are you responsible for risk management, compliance management and auditing of a network?    If so, we’d like to speak with you to learn your current processes of enforcing compliance and managing risk to help us develop services that will ... view more
Converting Cisco Secure Endpoint Connectors from Audit to Pr...
Created by Sohaib Ahmed on 06-23-2022 05:19 PM
0
0
0
0
Once you've expanded Cisco Secure Endpoint connector deployment to about 50% of your licensed count (check out this article that shows you how to do that), it's time to put those connectors to action i.e. convert them to Protect from Audit mode for vari... view more
🧦💚 Tell us about your ZTNA journey in exchange for a pair ...
Created by betswang on 06-23-2022 03:05 PM
0
15
0
15
  Hello! I’m Betsy, UX Researcher, on the Cisco+ Secure Connect Now team. Nice to meet you all .We have a short survey to learn about your Zero Trust Network Access (ZTNA) journey. Whether you have, plan to, or have not implemented a ... view more
Cisco ASA Access-list ACL using network object
Created by Meddane on 06-23-2022 06:59 AM
0
0
0
0
  A set of interface access rules can cause the Cisco Adaptive Security Appliance to permit or deny a designated host to access another particular host with a specific network application (service). When there is only one client, one host and one se... view more
How To: Cisco ISE Captive Portals with Aruba Wireless
Created by ahollifield on 06-22-2022 06:23 PM
4
10
4
10
How To: Cisco ISE Captive Portals with Aruba Wireless Authors: Adam Hollifield, Brad Johnson IntroductionPrerequisitesMinimum RequirementsComponents UsedConfigurationAruba Wireless ControllerWLAN CreationAuthentication ConfigurationRole & Policy Confi... view more
Ask a Question
Create
+ Discussion
+ Blog
+ Document
+ Video
+ Project Story
Find more resources
Discussions
Blogs
Documents
Events
Videos
Project Gallery
New Community Member Guide
Related support document topics
Recognize Your Peers
Spotlight Award Nomination
Content for Community-Ad