ESA Product Support | ESA Guided Setup | SMA Product Support | Encryption Product Support Email Submission and Tracking Portal | Cisco Talos Reputation Center Support | CRES | Talos
Cisco: Open a Support Case | Support & Downloads | Worldwide Contacts | Bug Search | Notification Service |
ESA: | 13.5.3-010 |
SMA: | 13.8.1-052 | |
Email Plug-in (Reporting): | 1.1.0.136 | |
Email Plug-in (Encryption): | 1.2.1.167 |
Hello everyone. I'd like to poll the group and see what SSL configurations you recommend using in ESA. Currently i'm running mine at "MEDIUM:HIGH:-SSLv2:-SSLv3:-aNULL:-EXPORT:@STRENGTH" on inbound SMTP but we are having quite a few complaints with senders unable to send us mail. Thanks in advance for your help.
You have turned off TLSv1.0 - first turn this back on.
You need to perform an analysis of traffic before turning this off. Working with the critical business partners still using this.
A good check against your system is using checktls.com using SSL Probe option
I believe the below cipher string is from a 'recommendation' - but who is recommending I say. You need to balance support v security, that is why the big providers provide so much backwards compatibility to low encryption levels, as they don't want to turn business away.
EDH+TLSv1.2:EDH+HIGH:HIGH:!MEDIUM:!ECDH:!ECDSA:!LOW:!EXP:!aNULL:!DSS:!IDEA:!PSK:!3DES:!SRP:@STRENGTH:!EXPORT:-aNULL:-EXPORT
Analyse the traffic, when low enough, on v11+ then turn off TLSv1.0 + tune weaker ciphers from the above cipher string. A good time to reassess tuning is when upgrading to the next ESA version.