Ironport TLS

gopa-doerr · ‎12-18-2014

Dear all, we have a pair of Ironport C170, clustered.OS is 8.0.1-023 I have a wildcard Certificate (Globalsign) installed, have chosen the certificate in the incoming and outgoing listener, have enabled tls (preferred, not verify) for both incoming and outgoing mail policies, but no effect - mails are unencrypted. Any suggestions where I can start troubleshooting, are there logs where I can see what it did (or did not)? best Markus

Ken Stieers · ‎12-18-2014

Some TLS stuff end up as entries in your mail logs (System Administration/Log Subscriptions, click on "mail_logs/" in the middle column.

You can also see stats under Monitor/TLS Connections.

To dig in you need to create a new log subscription, using the "SMTP conversation log" type, and then send some mail. (it gets verbose, so you'll want to remove it when you're done)

That should show you why you're having issues.

Mathew Huynh · ‎01-18-2015

If this issue is still occurring, I would suggest the following throubleshooting steps to be sorted.

If inbound TLS traffic (IE: external servers connecting to IronPort for delivery of inbound emails) are coming as unencrypted.

Check the message tracking of some Incoming Emails, review which Sendergroup these connections are matching.

IE: UNKNOWNLIST, ALL, SUSPECTLIST etc.

Look at the respective mail-flow policies for these sendergroups.

GUI > Mail Policies > HAT overview > Here you can see which mail flow policy a sendergroup uses.

Click into the respective Mail Flow Policy.

Scroll down to Security Features

Ensure TLS is enabled to preferred here.

Submit, commit changes.

To ensure outgoing connections are TLS preferred encryption.

GUI > Mail Policies > Destination Controls

Default -> Set TLS to preferred.