cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Cisco Secure Email Support Community

Product Support Talos Support Cisco Support Reference + Current Release
Gateway Reputation Lookup Open a support case Secure Email Guided Setup
Gateway: 14.0.1-033
Cloud Gateway Email Status Portal Support & Downloads docs.ces.cisco.com
Email and Web Manager: 14.1.0-227
Email and Web Manager Web & Email Reputation Worldwide Contacts Product Naming Quick Reference
Reporting Plug-in: 1.1.0.136
Encryption Bug Search
Encryption Plug-in: 1.2.1.167
Cloud Mailbox Notification Service
Outlook Add-in(s): More info

2011
Views
15
Helpful
8
Replies

Enforced TLS

We have enforced TLS for few email domains and for some domains we haven’t applied Limit_type or Limit apply does that mean the enforced TLS is not working for that domain?

2 ACCEPTED SOLUTIONS

Accepted Solutions

TLS is enforced in both of those.

Both have a limit on the number of mails per connection it will attempt.

 

The second one has limit set on the number of recipients it can send to per 60 minutes, but that limit looks to be zero?

So.. I'd bet that ought to be something higher?

destinationControls.PNG

 

View solution in original post

Nope, just outbound.
To force inbound, its harder... you have to configure a mail flow policy sender group to require it.
Sender groups are based on IP. You can put domains in the config, but since so many companies are using other systems to send mail, you have no guarantee that you're forcing all of any specific company's mail to be encrypted.
For example, if Example company is using Office 365, you can't use example.com or .example.com in the config, you have to use whatever MS's servers have... or whatever last hope they're using (Cisco?, Proofpoint? Mimecast?, Secureance?, mailgun? Etc....)
Generally when this has been a requirement, we've had a conversation with the other side to make sure they're requiring mail to go encrypted to us.

View solution in original post

8 REPLIES 8
Vinay babu
Beginner

While enforcing TLS for any external domain (Mail Policies >> Destination Controls), we have to apply limits. However, if you want to know whether the emails are delivering to enforced TLS domains or not, do Message tracking to see what's happening. thanks.

Ken Stieers
Advocate

I'm not sure what those limits you're referencing are...
They aren't labeled in the GUI or CLI....
There are limit settings for the max number of recipients and if that limit is for the whole ESA or per virtual gateway (if you're using them)...
Not having those set does not turn off the TLS requirements.

Hi Ken,  

 

Thank you for the update. I meant something like below: Does this configuration means one domain is enforced and one not?

 

[example.com]
table_tls=require

max_message_per_connection=50

 

[example.com]
table_tls=require

max_message_per_connection=50

recepient_minutes=60

limit_type=host

limit_apply=system

recepient_limit=0

 

Many thanks

Rem

TLS is enforced in both of those.

Both have a limit on the number of mails per connection it will attempt.

 

The second one has limit set on the number of recipients it can send to per 60 minutes, but that limit looks to be zero?

So.. I'd bet that ought to be something higher?

destinationControls.PNG

 

View solution in original post

Thank you so much Ken. So that means both the case the emails are enforced both inbound and outbound right?

Nope, just outbound.
To force inbound, its harder... you have to configure a mail flow policy sender group to require it.
Sender groups are based on IP. You can put domains in the config, but since so many companies are using other systems to send mail, you have no guarantee that you're forcing all of any specific company's mail to be encrypted.
For example, if Example company is using Office 365, you can't use example.com or .example.com in the config, you have to use whatever MS's servers have... or whatever last hope they're using (Cisco?, Proofpoint? Mimecast?, Secureance?, mailgun? Etc....)
Generally when this has been a requirement, we've had a conversation with the other side to make sure they're requiring mail to go encrypted to us.

View solution in original post

Also can you please explain what is the main difference in the configuration in the both the case?

Top one has it enabled using defaults for the connection and recipient limits.
Top one has its own connection limits.
This is much easier to understand if you use the gui. Its under Mail Policies/Destination Controls.
Create
Recognize Your Peers
Polls
Which of these topics should we host an event in the Community?

Top Choice: ISE- Guest and Posture Troubleshooting (67%)

Content for Community-Ad