cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Cisco Secure Email Support Community

Product Support Talos Support Cisco Support Reference + Current Release
Gateway Reputation Lookup Open a support case Secure Email Guided Setup
Gateway: 14.2.0-616
Cloud Gateway Email Status Portal Support & Downloads docs.ces.cisco.com
Email and Web Manager: 14.2.0-203
Email and Web Manager Web & Email Reputation Worldwide Contacts Product Naming Quick Reference
Reporting Plug-in: 1.1.0.136
Encryption Bug Search
Encryption Plug-in: 1.2.1.167
Cloud Mailbox Notification Service
Outlook Add-in(s): More info

631
Views
25
Helpful
3
Replies
mithu
Beginner

Enable TLS certificate for outbound emails in ESA

The environment has two A records which are abc.com and xyz.com. In the primary site they have two ESA appliances and DR having a single ESA appliance, for mail delivery they configured MX record as below, 
 

                mx1.abc.com                    -Primary

                mx2.abc.com                    -Primary

                mx3.abc.com                    - DR

               

                mx1.xyz.com                    -Primary

                mx2.xyz.com                    -Primary

                mx3.xyz.com                    - DR

 

If I need to enable TLS encryption for outbound email, do I need to purchase multiple certificates from third party certificate authority? or Please assist me with high level concept with the steps.

1 ACCEPTED SOLUTION

Accepted Solutions

The cert needs to match the name in the A records, not the IP.


So either 1 cert that has all of the names in it.
Or 2 wildcard certs, one for Abc.com and one for xyz.com
Or 6 certs, one for each box.


Think of these like web servers, cert needs to match the name that a user puts in the browser. Same concept.

View solution in original post

3 REPLIES 3
Ken Stieers
VIP Advocate

Ok... to be clear... MX records look like this:
Abc.com. 21600 IN MX 10 mx1.abc.com
Abc.com. 21600 IN MX 10 mx2.abc.com
Abc.com. 21600 IN MX 10 mx3.abc.com
And then the A records should look like this:
Mx1.abc.com. 21600 IN A 10.10.10.1
Mx2.abc.com. 21600 IN A 10.10.10.2
Mx3.abc.com. 21600 IN A 10.30.10.1

You want the certificate to match the A records... so with the 2 domain names, you either need a UCC/SAN cert, with the 6 names in it, or 2 wildcard certs, one for abc.com, one for xyz.com
mithu
Beginner

Yes you are right, MX record configured same as you mentioned. First of all I want to know why we need to certificate for one domain, whether certificate is binding with IP or A record? because single A record but three IPs (two devices in cluster setup)

The cert needs to match the name in the A records, not the IP.


So either 1 cert that has all of the names in it.
Or 2 wildcard certs, one for Abc.com and one for xyz.com
Or 6 certs, one for each box.


Think of these like web servers, cert needs to match the name that a user puts in the browser. Same concept.

Create
Recognize Your Peers
Content for Community-Ad