cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2173
Views
0
Helpful
8
Replies

End to End Encryption via Email Security Appliance

rockbd
Level 1
Level 1

Hi Guys

 

Need to your help.

I am using Email Appliance(as a mail gateway) and it is implemented with TLS for encryption.

But now i want gateway to gateway mail encryption like my org mail gateway to other org mail gateway should be encrypted. Is it possible? if yes can you tell me what are the process.

 

Thanks in advance.

 

 

8 Replies 8

dmccabej
Cisco Employee
Cisco Employee

Hello,

 

Assuming you simply want TLS encryption between gateways, all you would need to do is implement TLS on the other end (if already configured on the ESA). For example, if using Exchange, you would enable TLS on the Send/Receive connectors. 

 

On the ESA, you can review the mail logs and/or message tracking to confirm if TLS is being used when receiving mail (ICID) or when delivering mail (DCID).

 

Thanks!

-Dennis M.

Thanks for the reply. 

Yes I want end to end encryption. e.g. my organization mail to other organizations total encryption. 

I use the exchange. 

So if I enable tls and also in the mail gateway (esa is 13.x) which is implemented already then end to end encryption is done. 

 

Have to use and implement same certificate in both exchange and esa? 

 

Do I have to exchange certificate public key to other organization whom I send totally encryption mail so that organization's gateway and mail server can decrypt and read my encrypted mail?

 

You don't have to use the same certificate on Exchange and ESA.

You don't have to share certs with the other end.

You DO need to configure Destination Controls to "required" for the domains in question if you don't want the ESA to fall back to unencrypted if the encryption setup fails for some reason.




Dear Ken

 

Thanks for the reply.

 

If i am not wrong i just have to make a policy to end to end encryption for which domain i have to send encrypted mail.

But if i don't share public key then how the receiver domain will decrypt my mail?

 

Thanks in advance.

 

Rockbd

Perhaps you're confusing TLS with other forms of encryption? TLS does not encrypt the payload itself, but instead the connection/session when sending between MTAs.

 

As mentioned, all you need to do for TLS encryption between hops is to enable TLS on your Exchange server. Assuming, of course, you've already enabled it on the ESA (which you said you did?). 

 

Thanks!

-Dennis M.

Hi Dennis

 

Thanks for the reply.

 

Perhaps you're confusing TLS with other forms of encryption? TLS does not encrypt the payload itself, but instead the connection/session when sending between MTAs.

Yes you guessed right. I am confused. I want end to end encryption. how can i do that.

 

Yes i enable TLS in the ESA.

 

Thanks in advance.

 

RockBD

Sounds like you're after Cisco Registered Envelope Service (CRES).

Cristian Matei
VIP Alumni
VIP Alumni

Hi,

    

    Inbound/Outbound TLS has been supported by the ESA since the beginning. Based on the scope you want TLS (inbound/outbound e-mail, URL Filtering, LDAP integration) you need several steps to perform it. Here's a perfect document to guide you.

 

https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118844-technote-esa-00.html#anc17

 

Regards,

Cristian Matei.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: