cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Cisco Secure Email Support Community

Product Support Talos Support Cisco Support Reference + Current Release
Gateway Reputation Lookup Open a support case Secure Email Guided Setup
Gateway: 14.0.1-033
Cloud Gateway Email Status Portal Support & Downloads docs.ces.cisco.com
Email and Web Manager: 14.0.0-418
Email and Web Manager Web & Email Reputation Worldwide Contacts Product Naming Quick Reference
Reporting Plug-in: 1.1.0.136
Encryption Bug Search
Encryption Plug-in: 1.2.1.167
Cloud Mailbox Notification Service
Outlook Add-in(s): More info

590
Views
10
Helpful
6
Replies
hashimwajid1
Beginner

Public Certificate for ESA

Hi,

 

I've seen many installed ESA Box using default private Cisco certificate, which are working fine. my question is in which condition should we use Publicly signed certificate and for what purpose ? even on inbound and outbound listeners also using default private certificate. ( all are using SMTP port 25 for communication).

 

Thanks 

2 ACCEPTED SOLUTIONS

Accepted Solutions
Vinay babu
Beginner

Hi Hashim,

 

If we use public signed certificate (Signed by CA like DigiCert, GoDaddy etc.,) then the external email servers identifies that your email server certificate is signed by a trusted CA, which helps to pass the certificate validation of your email server.

 

If you use the certificate which came with ESA box (Self signed certificate), then the external email servers fails the certification validation and also, ironport administrator receives an warning message, while logging into the IronPort console through browser, which will ask whether to trust the certificate or not.

View solution in original post

What happens when the other end can't validate your cert depends upon their configuration.
For the sites that we actually require encryption on (banks, insurance, lawyers, and healthcare), if we can't verify the certificate, we send the mail back to the user that sent it.

For most of our mail we prefer encryption, but don't validate the cert because we fall back to unencrypted if we can't start a TLS session anyway...

Yes, this is all relates to SMTPS/STARTTLS based email transport encryption.

View solution in original post

6 REPLIES 6
Ken Stieers
Advocate

So... to be "proper" the cert should be a public cert so that the systems you send mail to can verify that they aren't talking to a spoofed box/verify domain ownership, etc.
That SO MANY people use a self-signed/install signed cert means that nobody can set the mail handler to verify email certs without a bunch of extra verification beforehand.
Not much different that opening web sites with a browser... everyone should be using TLS and the browsers should be able to verify the cert and we should be able to trust the CA issued the cert to the legit owner of the company... (yes, I know that's problematic...)
So your public cert on the ESA should match the A/AAAA record that points at the ESA, and the HELO/EHELO that the ESA announces itself as so that if someone IS checking/verifying certs, things all line up.
Ken

Hi Ken,

 

its mean by using Public Signed certificate is just like adding additional layer of security for remote MTAs, but even if remote MTAs fails to recognized the default certificate but they will still be able to relay the emails instead of putting sending ESA as Spoofed box, as you said if certification validation failed then they will check additional security check and will accept emails (just like DMARC where we can make policies to allow or reject for invalid SPF/DKIM)

 

is this also related with port SMTPS instead of normal SMTP ?

 

 

 

 

What happens when the other end can't validate your cert depends upon their configuration.
For the sites that we actually require encryption on (banks, insurance, lawyers, and healthcare), if we can't verify the certificate, we send the mail back to the user that sent it.

For most of our mail we prefer encryption, but don't validate the cert because we fall back to unencrypted if we can't start a TLS session anyway...

Yes, this is all relates to SMTPS/STARTTLS based email transport encryption.

View solution in original post

in simple if we are using SMTP then no Public Certificate required and if we are using SMTPS then we need Public CA signed certificate ?

 

Vinay babu
Beginner

Hi Hashim,

 

If we use public signed certificate (Signed by CA like DigiCert, GoDaddy etc.,) then the external email servers identifies that your email server certificate is signed by a trusted CA, which helps to pass the certificate validation of your email server.

 

If you use the certificate which came with ESA box (Self signed certificate), then the external email servers fails the certification validation and also, ironport administrator receives an warning message, while logging into the IronPort console through browser, which will ask whether to trust the certificate or not.

View solution in original post

Hi Vinay,

 

yes we receive message while login to ESA but point is even if remote ESA fails to recognized the sending ESA on the base of self signed certificate but they still allow Emails to carry.