Also, I wanted to note that the Ironport appliance does not currently have the functionality to generate the Certificate Signing Request(CSR) itself. The CSR has to be created by a third party application.

Here are some useful kb links that may be helpful


1. How do I create a certificate request on Windows using OpenSSL?
http://tinyurl.com/344xfh

2. Generating a Certificate Signing Request (CSR)
http://tinyurl.com/25a9x2

3. How to create new certificate signing request on Microsoft IIS server?
http://tinyurl.com/2n5z3a

We have never used TLS before and havent got ant certs/keys C650

Is there a checklist of everything needed to set up TLS between our company and a external company that requires it?

I know there is information in the Advanced user guide but I need a dummy guide!

Thanks folks.

Do companies normally set their public listners to preffered for default MFP? Is there a perceived performance hit in activating for all?

If we create MFP for thoses companies who require TLS I presume this just generates NDR?

Thanks John.

Yeah, you probably don't to require/prefer all inbound connections to have to go through a TLS check as this can hamper performance.

A common method is to create a new Sendergroup(SG) and Mail flow policy(MFP) that either prefers or requires TLS to be established before transfer of information on a "as needed basis".

For example, call the new sendergroup, "TLS_Required" and position it above the Whitelist SG. Assign this new "TLS_Required" SG to the new MFP called "Accepted_TLS" for example. Then, add the IP, hostname, or partial hostnames (ie. .bankofamerica.com) to the new SG.

This is one way of doing it. How have other companies that put a lot of importantance on TLS receiving and delivery done it? Anyone?

Also, remember that HAT Overview/MFP are for receiving. In other words, when other incoming hosts connect to your Ironport appliance.

"Mail Policies > Destination Controls", is for when your Ironport appliance delivers mail to hosts on the Internet. You probably don't want to make TLS Prefer/Require as the default. Likewise, you should create corresponding destination host entries for the domains that need the connections to be secure. However, if you're a banking institution and it's vital that all transactions between you and the Internet be made securely, then you may need to enable it on the Default.

Hope that helps.

Thanks folks.

Do companies normally set their public listners to preffered for default MFP? Is there a perceived performance hit in activating for all?

If we create MFP for thoses companies who require TLS I presume this just generates NDR?

Thanks John.

As far as a performance impact you will find that TLS doesn't add a significant load. I have worked with several large and small IronPort customers who have turned on "Preferred TLS" for all inbound and outbound without an added performance load.

Erich

Has anyone got views on the Pros and Cons of using TLS for most MFPs?

From my point of view I would like to switch on 'preferred' to all conections inbound and outbound. If the TLS handshake is good the security has got to be improved. However does this give you a false sense of security of was is more secure.

Without constantly monitoring the logs you dont know who is sending via TLS and thoses who would be at risk

Has anyone got experience of turing on TLS required and then not been able to negotiate? Do you bounce or is a queue formed?

As far as a performance impact you will find that TLS doesn't add a significant load.  I have worked with several large and small IronPort customers who have turned on "Preferred TLS" for all inbound and outbound without an added performance load.

As a rough estimate, a single TLS connection requires the same amount of server resources as ten clear text conversations. The actual impact to your IronPort appliance will vary based on how many simultaneous TLS connections it must handle. To mitigate the performance impact, there is a limit to the number of TLS connections the IronPort appliance will allow. Currently the limit is 100 inbound and 100 outbound TLS connections.

If the connection limit is reached for outbound connections, AsyncOS will negotiate a clear text conversation with partners whose MTA (message transfer agent) allows it. Where the partner has TLS required, the IronPort appliance will simply wait and try the connection again later.