12-06-2017 01:52 AM - edited 03-08-2019 07:29 PM
We are looking at how to use TLS when sending and receiving mail via Cisco Ironport C380 and have encountered some troubles, which we need help with:
1. Incoming: In order to receive TLS mail we need a certificate and when we generate the request file (via web GUI), we only get them with SHA1 algorithm. How do we get them with SHA256 algorithm?
12-06-2017 02:00 AM
Ability to create SHA256 or stronger certificates on the ESA is currently being tracked under the below feature request.
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCus19887/?reffering_site=dumpcr
However, you can still generate and sign certificates on external servers for SHA256 and then import them on the ESA after it is signed.
Regards,
Libin Varghese
12-06-2017 02:09 AM
Thanks for your quick reply. Now to second part of the trouble:
2. Outbound: We've tested putting TLS as preferred in the default outgoing mail profile, but we encounter major issues with mail that should go to recipients using Office 365, which are only added to queue for outbound but never sent. The information we find on the Internet appears to be MS Exchange never sending STARTTLS which Ironport seems to be waiting for. Is this any known problem and how to solve it?
12-06-2017 02:24 AM
I'm not aware of any known issues as such with O365.
You should be able to telnet to the destination server IP and confirm if they offer TLS or not, same can be done using mxtoolbox.com and checktls.com as well.
Connecting to 104.47.0.33
220 HE1EUR01FT040.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Wed, 6 Dec 2017 10:20:33 +0000 [735 ms]
EHLO xyz.com
250-HE1EUR01FT040.mail.protection.outlook.com Hello [64.20.227.134]
250-SIZE 49283072
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-8BITMIME
250-BINARYMIME
250 CHUNKING [742 ms]
The 250 STARTTLS header indicates that the server supports TLS.
You can also set up packet captures for the destination IP on the ESA to see what is causing the email delivery failure.
One thing you can check is that you do not have any SMTP inspection feature enabled on the firewall, proxy, etc between the ESA and internet which could be blocking TLS traffic.
Regards,
Libin Varghese
01-10-2018 06:56 AM
How do we create a Certificate Request for Higher Encryption than SHA1, and then import the certificate into Ironport?
01-10-2018 06:53 AM
How do we create a Certificate Request for Higher Encryption than SHA1, and then import the certificate into Ironport?
@danielbarri wrote:
We are looking at how to use TLS when sending and receiving mail via Cisco Ironport C380 and have encountered some troubles, which we need help with:
1. Incoming: In order to receive TLS mail we need a certificate and when we generate the request file (via web GUI), we only get them with SHA1 algorithm. How do we get them with SHA256 algorithm?
01-10-2018 06:57 AM
You can contact your CA to get stronger certs created for you.
Certificates can be imported to the ESA from Network -> Certificates -> Add Certificate -> Import Certificate -> Browse for a PKCS#12 format certificate.
Regards,
Libin Varghese
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide