07-28-2021 08:32 AM
Hi,
I've seen many installed ESA Box using default private Cisco certificate, which are working fine. my question is in which condition should we use Publicly signed certificate and for what purpose ? even on inbound and outbound listeners also using default private certificate. ( all are using SMTP port 25 for communication).
Thanks
Solved! Go to Solution.
07-28-2021 09:04 AM
Hi Hashim,
If we use public signed certificate (Signed by CA like DigiCert, GoDaddy etc.,) then the external email servers identifies that your email server certificate is signed by a trusted CA, which helps to pass the certificate validation of your email server.
If you use the certificate which came with ESA box (Self signed certificate), then the external email servers fails the certification validation and also, ironport administrator receives an warning message, while logging into the IronPort console through browser, which will ask whether to trust the certificate or not.
07-28-2021 09:38 AM
07-28-2021 08:58 AM
07-28-2021 09:27 AM
Hi Ken,
its mean by using Public Signed certificate is just like adding additional layer of security for remote MTAs, but even if remote MTAs fails to recognized the default certificate but they will still be able to relay the emails instead of putting sending ESA as Spoofed box, as you said if certification validation failed then they will check additional security check and will accept emails (just like DMARC where we can make policies to allow or reject for invalid SPF/DKIM)
is this also related with port SMTPS instead of normal SMTP ?
07-28-2021 09:38 AM
07-28-2021 11:06 AM
in simple if we are using SMTP then no Public Certificate required and if we are using SMTPS then we need Public CA signed certificate ?
07-28-2021 09:04 AM
Hi Hashim,
If we use public signed certificate (Signed by CA like DigiCert, GoDaddy etc.,) then the external email servers identifies that your email server certificate is signed by a trusted CA, which helps to pass the certificate validation of your email server.
If you use the certificate which came with ESA box (Self signed certificate), then the external email servers fails the certification validation and also, ironport administrator receives an warning message, while logging into the IronPort console through browser, which will ask whether to trust the certificate or not.
07-28-2021 09:29 AM
Hi Vinay,
yes we receive message while login to ESA but point is even if remote ESA fails to recognized the sending ESA on the base of self signed certificate but they still allow Emails to carry.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide