Showing results for 
Search instead for 
Did you mean: 

New Capabilities to Protect Your Users with Cisco Secure Email - AMA

Community Manager
Community Manager


Ask Me Anything Forum

This event is a chance to review how customers of all sizes face the same daunting challenge: email is simultaneously the most important business communication tool and the leading attack vector for security breaches. Cisco Secure Email enables users to communicate securely and helps organizations combat Business Email Compromise (BEC), ransomware, advanced malware, phishing, spam, and data loss with a multilayered approach to security.

To participate in this event, please use the reply-button.png button below to ask your questions

Ask questions from Monday, February 1 to Friday, February 12, 2021

Featured Experts

Photo_dmccabej_100x140.png Dennis McCabe Jr is a Technical Consulting Engineer at the Cisco Global Technical Assistance Center (TAC) for Content Security Email. With more than five years of experience and a broad scope of knowledge relating to Cloud Email Security (CES) and the Email Security Appliance (ESA), Dennis holds certifications including Cisco’s Certified Specialist with Email Security and an MCITP concentrating on Microsoft Exchange. He holds a CCNA Security certification.

Photo_ericpark_100x140.png Erica Parker is an experienced Technical Consulting Engineer with a demonstrated history of working in the computer networking and cybersecurity industry. With a Bachelor's degree focused in Computer Systems Networking and Telecommunications from Rochester Institute of Technology, she is skilled in Email Security, Software Deployment, and Security Penetration testing with a passion in biomedical sciences. She holds two certifications on CCNA R&S and Security.

**Helpful votes Encourage Participation! **
Please be sure to rate the Answers to your Questions

Do you know you can get answers before opening a TAC case by visiting the Cisco Community?
For more information, visit the Email Security category. To find further Cisco Community events: Click here.

38 Replies 38

Hi Erica and Dennis,

Can you group two or more ESAs together to form a cluster?




You can certainly group multiple ESAs together to form a cluster; however, the one caveat to keep in mind is that the cluster functionality within AsyncOS does not have any type of built-in HA/DR capabilities. The only thing that the cluster is used for is sharing the configuration across multiple devices. Steps for forming and joining a cluster can be found here. From the CLI, you'll want to use clusterconfig > Create a new cluster to form a new cluster, and then clusterconfig > Join an existing cluster over SSH on other ESAs once the cluster has been formed.



-Dennis M.

Aka "cluster" is a really poor name for "multi-layer configuration replication"

Level 1
Level 1

Hi there,

By any chance do you have any best practice recommendations when setting up service "X"?




In general, the best practice settings are always going to be what comes configured by default on the ESA. Of course, the default settings may need to be tweaked depending on your company policies, and Cisco TAC is always available to help guide you through any changes.


Here are some of the available recommendations outside of the default configuration:

  • For CES/On-prem: Best Practices section here
  • For CES: here



-Dennis M.

Community Manager
Community Manager

A question regarding encryption? We can help!

Find the following question from rolelael:

Question about local users and encryption mechanism of password ( ESA )

Does anyone know which encryption mechanism is being used to store the passwords for local users ?

I got a question from audit about it ? They need to know how the password is stored in the config etc and with how many bits/hash it has been encrypted.


Thanks for your question Rolelael,


The passwords are stored with the same algorithm internally as they are
stored within an exported configuration file with passwords unmasked.
The method used is the UNIX crypt function:
You can determine which algorithm a given password is stored in
by looking at the '$x$' at the beginning of the password.
For example:
$1$ = MD5
$3$ = NT Hash
$5$ = SHA-256


I hope that helps!



Community Manager
Community Manager

And a new question from pgiouvanellis:

Cisco SMA 13.0.0-392 - Disable weak Ciphers

Hello Team ,

We are trying to disable all weak ciphers to gui of SMA EUQ until know we manage to disable some of them but we are not able to disbale all the weak ciphers .

I attached a printscreen of the weak ciphers .

On SMA configuration we have unti know the below config : 


What we need to do to disable all other weak ciphers ?

Does anyone can help me ? 

Thank You,




You could attempt to change the cipher string to something like the following:




Though, ideally, you would be testing this on a lab box prior to making any changes as it could potentially impact GUI access. 


I am not aware of there being a way to strictly remove all CBC related ciphers, so, you will need to make some additional modifications and continue testing until you find your desired results. Essentially, you would keep adding other cipher types by including a !<cipher> at the end of the string. 


You can also find more information concerning the cipher list format here



-Dennis M.