Showing results for 
Search instead for 
Did you mean: 

Ask the Expert: Best Practices for Configuring the Email Security Appliance

Community Manager
Community Manager

Read the bioWith Woody Hardison

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn from Cisco expert Woody Hardison  about Cisco e-mail security appliance, configuration of the HAT, anti-spam, anti-virus and how to install and configure certificates.Woody Hardison is an Escalation Engineer at the Technical Assistance Center at Cisco's RTP campus in North Carolina. He has over 4 years experience configuring and troubleshooting the Cisco IronPort Email Security Appliance.  Woody is a Cisco IronPort Certified Security Professional.

Remember to use the rating system to let Woody  know if you have received an adequate response. 

Woody might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Ironport sub-community discussion forum shortly after the event. This event lasts through March 9, 2012. Visit this forum often to view responses to your questions and the questions of other community members.

26 Replies 26

Douglas Hardison
Cisco Employee
Cisco Employee

Hello everyone,

Feel free to fire away with questions you may have regarding the Cisco Email Security Appliance. I'm here to answer them to the best of my ability.


I just noticed that 7.6 is available as upgrade on my C370 Appliances... Is that safe to do go there or that is still in "early deployment" phase? I am currently running 7.5.1


The 7.6 build is currently in what can be considered a 'First Customer Ship' phase. It has not yet

been released for install by all appliances, but is considered a stable release. These builds

are released to specific customers who have aligned with Cisco to deploy the software before

General Availability. The build is considered stable, but these early adopters offer a chance

for any last minute issues to be addressed, should any be found.

If, while running the 'upgrade' command, you see 7.6 as an option, upgrade

at your leisure. For those who do not see this build available, take note that this is the final

step before General Availibilty, which means 7.6 will be available in the near future.

7.6 is an exciting release, as it will be the first official ESA build with IPV6 support. Cisco's website contains the 7.6 release notes outlining what is new and what defects have been addressed:

Woody, I see the 7.6 release is available for my C670 appliances (production environment) but is not for my C650 appilances (test/pilot environment).  By policy I need to install in test/pilot before production.  I am really interested in this release and would liek to have some idea when it might be available at the C650 level.

Hi David,

   We'd be happy to help get your test boxes provisioned for the 7.6 release, if you'd like to test it out.

Since we'll need your appliance serial numbers, it would be best for you to open a standard support request to keep your information confidential.

Feel free to open a support request explaining that you'd like your test boxes be allowed to upgrade to 7.6.

Include the serial numbers of the appliances in the request. Once the engineer processes your request, your

appliances will automatically see the upgrade available via the 'upgrade' command in the CLI, or the upgrade

page in the web interface.

Since you mentioned these are test boxes, I will mention the requirement listed on Page 4 of the 7.6 release notes:

"Starting in AsyncOS 7.6, an Email Security appliance requires an anti-spam system feature key in order to use the SenderBase Reputation Service."

So, you'd want to keep that in mind that if your test boxes don't have current antispam keys, the SBRS system will not be available.

All that being said, as I mentioned in a previous post, the limited release is the last step before General Availability. We do not post time-frames for the GA release, in the event that any last minute issues need addressing. But, the release should be available in the very near future. Sorry for being so vague. 




Thank you for your quick response, I will submit a support case to get the C650's added to the FCS to 7.6 release.  Test is kind of a misnomer for these appliances they are fully functional with all the required feature keys as they support our fully functional pilot environment and mirror our production implemetation.




Are SMTP TLS-Encryption and Cisco Ironport Email-Encryption are different ways to encrypt Mails ?

For Ironport Email-Encryption i need a Feature Keys for TLS-Encryption not is this correct ?

How can i check in the Version 6.5.3 how long my certificate for TLS Encryption is valid ?



     I've included my responses inline for easier reading:

1) Are SMTP TLS-Encryption and Cisco Ironport Email-Encryption are different ways to encrypt Mails ?

1A) Yes, they are different. SMTP TLS (Transport Layer Security )encryption is point-to-point encryption between to smtp servers when transmitting messages. This is to protect from others 'eavesdropping' on the connection and intercepting the communication in plain text. The communicating servers identify themselves using digital certificates. The client may contact the server that issued the certificate (the  trusted CA) and confirm the validity of the certificate before  proceeding.

Cisco IronPort Email Encryption is a system which encrypts the message itself, using ARC4 or AES encryption. (ARC4 is the most common choice, it provides encryption with minimal decryption delays for message recipients.)

The encrypted message can then be transmitted through a standard SMTP connection, or via TLS connection.

The basic workflow for opening encrypted messages is:

Step 1
When you configure an encryption profile, you specify the parameters for message  encryption. For an encrypted message, the Email Security appliance  creates and stores a message key on a local key server or on the hosted  key service (Cisco Registered Envelope Service).

Step 3

When a recipient opens an encrypted message in a browser, a password may be required to authenticate the recipient’s identity. The key server returns the encryption key associated with the message.

When opening an encrypted email message for the first time, the recipient is  required to register with the key service to open the secure envelope.  After registering, the recipient may be able to open encrypted messages  without authenticating, depending on settings configured in the  encryption profile. The encryption profile may specify that a password  isn’t required, but certain features will be unavailable.

2) For Ironport Email-Encryption i need a Feature Keys for TLS-Encryption not is this correct ?

2A) Correct. A feature key is required for Cisco IronPort Email encryption. TLS is a standard mail transmission

protocol and as such, is available for configuration within the appliance's settings.

3) How can i check in the Version 6.5.3 how long my certificate for TLS Encryption is valid ?

3A)  In version 6.5.3, the appliance uses one certificate for TLS and SSL ( browser security ), so the easiest way

to check its expiration date is to connect to the Cisco IronPort's web interface, and use your browser to view the

certificate the site uses. For instance, in my version of Firefox, I can click on the domain name beside the url bar, choose 'More Information -> View Certificate' and the certificate details are shown. This includes the expiration date of the certificate. Directions for retrieving a certificate's information through other browsers should be readily available on the Internet.

You can also pull the certificate information from an openssl connection to your appliance and extract the expiration date. The following commands are generally available on a Linux/Unix box:

  1. Retrieve the certificate

    $ echo "" | openssl s_client -connect ironports_hostname:25 -starttls smtp > dump_certificate
  2. Retrieve then the expiration date of the certificate

    $ openssl x509 -in dump_certificate -noout -enddate

    It should give you an output similar to:

    notAfter=May  20 22:00:00 2019 GMT

( Substitute ironports_hostname for the hostname of your Cisco IronPort Email Security Appliance in the example.)

Hope that helps.


Greg Hopp

My Ironport is getting hammered with Directory Harvesting attacks.  Is there anything I can do or just let the Ironport deal with it?

Hi Greg,

Directory Harvest Attacks, sometimes called 'dictionary attacks' are defined by the technique spammers use to try to determine valid email addresses on a mail domain.

Many spammers send emails to a high number  of invalid addresses, so blocking senders who send to invalid  recipients can also decrease spam.

Given that Directory Harvest Attack Prevention (DHAP) on the Cisco IronPort aborts the connection at the SMTP conversation phase, it is quite effective at preventing the attacker from reaching many valid usernames on your domain.

As a general rule, DHAP attacks are short-lived burts of attempts to reach valid users. Given the nature of these attacks, and their (usual) brevity, I would recommend allowing the Cisco IronPort to handle the rejections for you. DHAP was designed to exclusively handle these types of attacks.



Bob Neville

Is it better to block an email address with a policy or a filter  ? Which one takes less processing power ?

Hi Bob,

     Good question. I'm assuming you'd like to block inbound messages from a particular sender.

Message filters will use the least amount of resources to block an email. This is basically due to the fact that message filters affect the message very early in the process of evaluation. Policies and content filters occur later in the process, triggering more actions before they are reached, and therefore will use more resources.

That being said, if you find yourself wanting to block several senders and find you are adding more and more individual message filters, you'd be counter-acting their advantage. Also, this can become unwieldly, as it's harder to manage than a list of "bad senders" which can be managed centrally.

That's a situation where you would want to consider using a dictionary to store the list of sender addresses, where you can add and subtract them as needed in one central file.

Cisco's Knowledge Base contains an existing article describing how to  do just that, and I encourage you to read it to see if it meets your  needs:

For examples and syntax of message filters, you can access the Cisco IronPort's online help from the appliance's web interface through the link: 'Help and Support -> Online Help'

Use the Search box in the online help to search for 'message filters', then scroll down to the section 'Advanced Configuration Guide'. There are several sections dedicated to message filters.

Hope that helps,


We have been running the Ironport C370 for over 1 year now and would like to say they are the best product that I have used.  Very easy to maintain and very good at what they do.

With that being said, I want to see what I can do to increase the amount of Spam that I'm currently blocking.  On average, we are blocking about 91% of the Spam at our Gateways.  I would like to see about trying to increase this by at least 1 to 2%.  Currently we are setup as follows:

Blacklist - -10 to -2

Suspectlist - -2 to 0

Unknowlist - 0 to 7.5

Whitelist - 7.5 to 10

Any Positively-Identified Spam is dropped.  Any Suspected Spam is sent to Quarantine.  Our Spam Thresholds are:

Positively Identified Spam Score > 74

Suspected Spam Score > 36

What can I adjust to try to block the most Spam possible? 



Hi Woody, very interesting discussion!

I've got a question regarding the cipher use for TLS. We have currently configured our SSL for

AES256-SHA:AES128-SHA:RC4-SHA:RC4-MD5 ciphers. However it seems that there are a lot more available for Ironports. What do you recommend in  term of choice for the ciphers, and what are the consequences of this choice especially in term of performances (obviously I don't want to enter the whole list of available ciphers if there is a risk of increase the latency). Please note also that we can't add :ALL at the end of the cipher list for security policies reasons.



Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers