Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2986
Views
10
Helpful
6
Replies

Public Certificate for ESA

Go to solution
hashimwajid1
Level 3
Level 3

‎07-28-2021 08:32 AM

Hi,

 

I've seen many installed ESA Box using default private Cisco certificate, which are working fine. my question is in which condition should we use Publicly signed certificate and for what purpose ? even on inbound and outbound listeners also using default private certificate. ( all are using SMTP port 25 for communication).

 

Thanks 

Labels:
2 Accepted Solutions

Accepted Solutions

Go to solution
Vinay babu
Level 1
Level 1

‎07-28-2021 09:04 AM

Hi Hashim,

 

If we use public signed certificate (Signed by CA like DigiCert, GoDaddy etc.,) then the external email servers identifies that your email server certificate is signed by a trusted CA, which helps to pass the certificate validation of your email server.

 

If you use the certificate which came with ESA box (Self signed certificate), then the external email servers fails the certification validation and also, ironport administrator receives an warning message, while logging into the IronPort console through browser, which will ask whether to trust the certificate or not.

View solution in original post

Go to solution
Ken Stieers
VIP
VIP
In response to hashimwajid1

‎07-28-2021 09:38 AM

What happens when the other end can't validate your cert depends upon their configuration.
For the sites that we actually require encryption on (banks, insurance, lawyers, and healthcare), if we can't verify the certificate, we send the mail back to the user that sent it.

For most of our mail we prefer encryption, but don't validate the cert because we fall back to unencrypted if we can't start a TLS session anyway...

Yes, this is all relates to SMTPS/STARTTLS based email transport encryption.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Ken Stieers
VIP
VIP

‎07-28-2021 08:58 AM

So... to be "proper" the cert should be a public cert so that the systems you send mail to can verify that they aren't talking to a spoofed box/verify domain ownership, etc.
That SO MANY people use a self-signed/install signed cert means that nobody can set the mail handler to verify email certs without a bunch of extra verification beforehand.
Not much different that opening web sites with a browser... everyone should be using TLS and the browsers should be able to verify the cert and we should be able to trust the CA issued the cert to the legit owner of the company... (yes, I know that's problematic...)
So your public cert on the ESA should match the A/AAAA record that points at the ESA, and the HELO/EHELO that the ESA announces itself as so that if someone IS checking/verifying certs, things all line up.
Ken

0 Helpful

Go to solution
hashimwajid1
Level 3
Level 3
In response to Ken Stieers

‎07-28-2021 09:27 AM

Hi Ken,

 

its mean by using Public Signed certificate is just like adding additional layer of security for remote MTAs, but even if remote MTAs fails to recognized the default certificate but they will still be able to relay the emails instead of putting sending ESA as Spoofed box, as you said if certification validation failed then they will check additional security check and will accept emails (just like DMARC where we can make policies to allow or reject for invalid SPF/DKIM)

 

is this also related with port SMTPS instead of normal SMTP ?

 

 

 

 

0 Helpful

Go to solution
Ken Stieers
VIP
VIP
In response to hashimwajid1

‎07-28-2021 09:38 AM

What happens when the other end can't validate your cert depends upon their configuration.
For the sites that we actually require encryption on (banks, insurance, lawyers, and healthcare), if we can't verify the certificate, we send the mail back to the user that sent it.

For most of our mail we prefer encryption, but don't validate the cert because we fall back to unencrypted if we can't start a TLS session anyway...

Yes, this is all relates to SMTPS/STARTTLS based email transport encryption.
0 Helpful

Go to solution
hashimwajid1
Level 3
Level 3
In response to Ken Stieers

‎07-28-2021 11:06 AM

in simple if we are using SMTP then no Public Certificate required and if we are using SMTPS then we need Public CA signed certificate ?

 

0 Helpful

Go to solution
Vinay babu
Level 1
Level 1

‎07-28-2021 09:04 AM

Hi Hashim,

 

If we use public signed certificate (Signed by CA like DigiCert, GoDaddy etc.,) then the external email servers identifies that your email server certificate is signed by a trusted CA, which helps to pass the certificate validation of your email server.

 

If you use the certificate which came with ESA box (Self signed certificate), then the external email servers fails the certification validation and also, ironport administrator receives an warning message, while logging into the IronPort console through browser, which will ask whether to trust the certificate or not.

Go to solution
hashimwajid1
Level 3
Level 3
In response to Vinay babu

‎07-28-2021 09:29 AM

Hi Vinay,

 

yes we receive message while login to ESA but point is even if remote ESA fails to recognized the sending ESA on the base of self signed certificate but they still allow Emails to carry.

0 Helpful
Customers Also Viewed These Support Documents