cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
908
Views
0
Helpful
1
Replies

Steps for configuring TLS in ESA

slizarraga
Level 1
Level 1

Hello,

 

I want to know the steps needed to enable TLS.

 

This is the scenario:

 

The ESA is used as a relay from an internal host (no TLS needed).

All the emails coming from this internal hosts use the same source domain.

The ESA is configured to use a public relay (Google Mail) from the Internet, for all the emails coming from this internal host, this is configured by an outgoing content filter. TLS is needed in this part of the communication.

 

I have created the SMTP authentication profile and I used it in the listener.

 

I also enabled it in the mail flow policy.

 

Do I need something else?

 

I really want to be sure if I need any more configuration.

 

In the tests I make, I get this answer:

 

Double bounce: Message 94130457 to BASIS@quimtia.com. Reason: 5.1.0 - Unknown address error 550-"5.1.1 The email account that you tried to reach does not exist. Please try\\n5.1.1 double-checking the recipient\'s email address for typos or\\n5.1.1 unnecessary spaces. Learn more at\\n5.1.1 http://support.google.com/mail/bin/answer.py?answer=6596 lq5si6916488igb.63 - gsmtp"

 

thanks for your help!

 

 

 

 

1 Reply 1

Mathew Huynh
Cisco Employee
Cisco Employee

Hello Sliza,

 

I believe from my understanding of your scenario,
Outbound traffic routing is
Internal host To ESA (no TLS is required.

ESA -> Google Server (Requiring TLS) 


Then Google public relay server -> Internet 

 

If you are requiring TLS from the ESA to this google public relay server, where the recipient domains may be all external based.

 

I would suggest going to GUI > Mail Policies > Destination Controls

On the default destination control, change TLS to 'preferred'

So when any deliveries are being done, TLS will be used when available, else it will fall-back to plain text.

 

If you want to set TLS to required, meaning if TLS is not able to be negotiated, the email is dropped only for this google public relay server deliveries then you will need to use this workaround.

 

Create a new content filter.

Conditions would be if the remote IP is your internal host IP

Actions -> Send to alternate destination host -> tlshost.route 

 

Submit this content filter.

 

GUI > Network > SMTP routes

Add a new SMTP route

Receiving Domain will be -> tlshost.route

Destination hosts: priority = 0, the destination host will be the google public relay server that you will deliver these emails to

 

Submit this SMTP route.

 

Then go to GUI > Mail Policies > Destination Controls

Add a new destination control.

Destination -> tlshost.route

TLS support -> Required


Submit this destination control.

 

Then go to GUI > Mail Policies > Outgoing Mail Policies

Enable your content filter you created on the policies where required.

 

Submit this and commit change.

 

Regards,

Matthew