Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2075
Views
0
Helpful
6
Replies

Ironport C380 Sending/Receiving mails Using SSL/TLS

danielbarri
Level 1
Level 1

‎12-06-2017 01:52 AM - edited ‎03-08-2019 07:29 PM

We are looking at how to use TLS when sending and receiving mail via Cisco Ironport C380 and have encountered some troubles, which we need help with:


1. Incoming: In order to receive TLS mail we need a certificate and when we generate the request file (via web GUI), we only get them with SHA1 algorithm. How do we get them with SHA256 algorithm?

1 person had this problem
Labels:
0 Helpful
6 Replies 6

Libin Varghese
Cisco Employee
Cisco Employee

‎12-06-2017 02:00 AM

Ability to create SHA256 or stronger certificates on the ESA is currently being tracked under the below feature request.

 

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCus19887/?reffering_site=dumpcr

 

However, you can still generate and sign certificates on external servers for SHA256 and then import them on the ESA after it is signed.

 

Regards,

Libin Varghese

 

 

0 Helpful

danielbarri
Level 1
Level 1
In response to Libin Varghese

‎12-06-2017 02:09 AM

Thanks for your quick reply. Now to second part of the trouble:

 

2. Outbound: We've tested putting TLS as preferred in the default outgoing mail profile, but we encounter major issues with mail that should go to recipients using Office 365, which are only added to queue for outbound but never sent. The information we find on the Internet appears to be MS Exchange never sending STARTTLS which Ironport seems to be waiting for. Is this any known problem and how to solve it?

0 Helpful

Libin Varghese
Cisco Employee
Cisco Employee
In response to danielbarri

‎12-06-2017 02:24 AM

I'm not aware of any known issues as such with O365.

 

You should be able to telnet to the destination server IP and confirm if they offer TLS or not, same can be done using mxtoolbox.com and checktls.com as well.

 

Connecting to 104.47.0.33

220 HE1EUR01FT040.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Wed, 6 Dec 2017 10:20:33 +0000 [735 ms]

EHLO xyz.com
250-HE1EUR01FT040.mail.protection.outlook.com Hello [64.20.227.134]
250-SIZE 49283072
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-8BITMIME
250-BINARYMIME
250 CHUNKING [742 ms]

 

The 250 STARTTLS header indicates that the server supports TLS.

 

You can also set up packet captures for the destination IP on the ESA to see what is causing the email delivery failure.

 

One thing you can check is that you do not have any SMTP inspection feature enabled on the firewall, proxy, etc between the ESA and internet which could be blocking TLS traffic.

 

Regards,

Libin Varghese

0 Helpful

faizan.khan
Level 1
Level 1
In response to Libin Varghese

‎01-10-2018 06:56 AM

How do we create a Certificate Request for Higher Encryption than SHA1, and then import the certificate into Ironport?

0 Helpful

faizan.khan
Level 1
Level 1

‎01-10-2018 06:53 AM

How do we create a Certificate Request for Higher Encryption than SHA1, and then import the certificate into Ironport?

@danielbarri wrote:

We are looking at how to use TLS when sending and receiving mail via Cisco Ironport C380 and have encountered some troubles, which we need help with:


1. Incoming: In order to receive TLS mail we need a certificate and when we generate the request file (via web GUI), we only get them with SHA1 algorithm. How do we get them with SHA256 algorithm?

 

0 Helpful

Libin Varghese
Cisco Employee
Cisco Employee
In response to faizan.khan

‎01-10-2018 06:57 AM

You can contact your CA to get stronger certs created for you.

 

Certificates can be imported to the ESA from Network -> Certificates -> Add Certificate -> Import Certificate -> Browse for a PKCS#12 format certificate.

 

 

Regards,

Libin Varghese

0 Helpful
Customers Also Viewed These Support Documents