cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1924
Views
0
Helpful
3
Replies

ESA TLS configuration between 2 mail relays

nwsprojekte
Level 1
Level 1

Hello,

I want to configure a TLS communication between a Cisco ESA (Email security appliance) and another mail relay. I found only a way to configure the encryption to/from a domain. But I have to  configure the TLS connection between the IP address of the ESA and the IP address of the other relay because a domain restriction is not possible. All other mails which are not addressed for this mail relay have to send unencrypted.

1 Accepted Solution

Accepted Solutions

Doug Maxfield
Level 1
Level 1

Under Mail Policies, Destination Controls, you can add a Destination to enforce TLS.  Select Add Destination, type in the Domain name and on TLS Support, change it from "Default (Preferred)" to "Required".  This will require that TLS is available on the remote side or the email will queue on your ESA until TLS is available on the remote side.

Doug

View solution in original post

3 Replies 3

Doug Maxfield
Level 1
Level 1

Under Mail Policies, Destination Controls, you can add a Destination to enforce TLS.  Select Add Destination, type in the Domain name and on TLS Support, change it from "Default (Preferred)" to "Required".  This will require that TLS is available on the remote side or the email will queue on your ESA until TLS is available on the remote side.

Doug

Thank you. That´s clear. But I can´t enter a domain name I have to enter the IP address or hostname of the partner mail relay.Background, all mails are received under one domain name on the ESA. There will be determine by a LDAP request if the received mail will be transported to the internal Exchange system or if the mail will transported to an external relay. And the transport to this external relay have to be encrypted via TLS.

Outbound TLS controls = Destination Controls

  • You enter the destination Domain - or .domain to include sub-domains.
  • The SMTPRoutes (or public DNS) will determine the host these are delivered to.

Inbound TLS = HAT > Sender Group > Mail Flow Policy

  • Create a Sender Group for the IPs/Range that you expect to receive the emails from
  • Create and Apply a Mail Flow Policy named RequiredTLS.  Within the Mail Flow Policy match your normal Mail Flow Policy, then look for TLS and set to Required and then adjust any other parameters such as you may not bother performing SBRS and Anti-Spam on these incoming hosts. Also, ensure you apply the correct Accept (only sending to your local domain users) or Relay behaviour (potentially relaying out to your customers), noting that Accept = Inbound policies and Relay = Outbound policies.

With these you can secure Required TLS outbound routing (via Domains) and Required TLS for Inbound routing (via IPs)