cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Cisco Secure Email Support Community

Product Support Talos Support Cisco Support Reference + Current Release
Gateway Reputation Lookup Open a support case Secure Email Guided Setup
Gateway: 14.0.0-698
Cloud Gateway Email Status Portal Support & Downloads docs.ces.cisco.com
Email and Web Manager: 14.0.0-404
Email and Web Manager Web & Email Reputation Worldwide Contacts Product Naming Quick Reference
Reporting Plug-in: 1.1.0.136
Encryption Bug Search
Encryption Plug-in: 1.2.1.167
Cloud Mailbox Notification Service
Outlook Add-in(s): More info

730
Views
0
Helpful
9
Replies

Setting up TLS

Hi.

We have 2 C350, and would like to setup TLS. I have found the document "Encrypting SMTP Conversations Using TLS".

My question is, should i use 2 certificates og just 1.

Best regards
Thorsten

9 REPLIES 9
kyerramr
Beginner

For SMTP over TLS you would require one cert only and this would be validated by remote MTA's for incoming traffic at your end.

-Kishore

For SMTP over TLS you would require one cert only and this would be validated by remote MTA's for incoming traffic at your end.

-Kishore


Hi Kishore.

So the procedure is
1. Obtain a certificate
2. Install the certificate on Ironport1
3. Install the certificate on Ironport2

And then we are up and running?

kyerramr
Beginner

This could be a useful article in setting up TLS from receiving and delivery once you have completed the above steps.

http://tinyurl.com/g6c3m

In regard to using 1 or 2 certs. If these two C350's are going to sit behind a load balancer and there is only one PTR record then you would apply 1 cert on both the appliances.

If they would have different PTR records then you might need 2 different certs. However, if you plan to use a wild card cert it makes things easier to just have one cert.

-Kishore

robertrenner
Beginner

Hi,

that still applies if i have two A records with the IP's of my IronPorts behind my MX, right ? [...] Both are using their hostnames in the smtp banner, so the cert should point on each hostname? please correct me if i'm on the woodway :roll:

best regards,
rob

kyerramr
Beginner

Yes this is correct, Since there would be two different hostnames PTR records for these appliances. You might want use one cert on each or get a Wildcard cert or get a cert with two subject names (one of the hostname).

Hope this helps!

Cheers,
Kishore

robertrenner
Beginner

yes,

thanks a lot :)

steven_geerts
Beginner

Please be careful! Trusting TLS as a full blown encryption solution might not de correct.

TLS is always a point to point encryption. This is OK as long as you are sure that remote server is also in a protected environment. But.... if the system you are communicating with is for instance Message labs you have no control over the encryption between Message labs and the final recipient. This means you have nicely secured your communication with Message labs but your message contents can still be sniffed while the message has left Message labs. Of course this is the case with every external hosted mail relay (if your provider delivers you backup MX services you might have the same issue)

If you want to be sure only the intended recipient can decode the message you must use some other (more expensive and complex) encryption mechanisms.

I'm not saying TLS is useless but its added value should be considered "limited"

Steven

kyerramr
Beginner

With some hosted vendors, they can find to see if a message was transmitted via TLS tunnel if so, they can automatically deliver the message via TLS tunnel to the recipient MTA. However, I believe this needs to be configured and setup with your hosted service if plan to use this method.

Agree that TLS is not a full encryption solution, so is why with SMTP TLS and it is called gateway-gateway encryption and not an end-end encryption.

robertrenner
Beginner

youre right. for those who need it, we have PGP in place also. 8)

thanks, rob :wink:

Content for Community-Ad