Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
832
Views
0
Helpful
1
Replies

Struggling with Sender Groups to disable TLS for a specific sender

keithsauer507
Level 5
Level 5

‎05-12-2015 01:33 PM

Ok, we want to prefer TLS inbound email but when this is turned on one of our vendors emails never make it in.  So we created in HAT overview a NO-TLS sender group with their domain name in it and even an ip address.  Now when I send email from gmail or mxtoolbox check, I do not see it coming in as TLS.

If I move this sender group down in order to below our ACCEPT-TLS group (in which TLS is preferred), then yes mxtoolbox and gmail do come inbound with TLS.  But it seems like everything would hit that policy since the SBRS score is around 5.6 or so.

 

Anyway it does not seem like there is a way to create a Sender Group that applies to one domain.  Because you would think the NO-TLS along with the domain name in there would not 'hit' and the ironport esa would move on down to the next sender group for evaluation.  Instead it seems to hit on it anyway because the SBRS score is within acceptable range.

 

Any ideas?

Labels:
0 Helpful
1 Reply 1

Mathew Huynh
Cisco Employee
Cisco Employee

‎05-17-2015 06:39 PM

Hello Keith,

 

Are you able to provide us some logging information that shows the ESA rejecting the email due to TLS set to preferred.

The reason why I ask is TLS preferred would mean if TLS (STARTTLS) is not done, then it would simply use plain-text and there would be no reason for connection denial unless there is something else interrupting and breaking connections.

 

However if you do wish to allow one specific domain to enter inbound to the ESA without TLS, then you took the right approach.


However you need to ensure that when you created this NO-TLS sendergroup, it is put above your ACCEPT-TLS sendergroup and also to ensure SBRS is not being used for these custom groups.

 

Then on the NO-TLS sendergroup, please add the connecting host name of the mail servers for that domain, and not the domain itself.

 

This will allow only this hostname server to enter the sendergroup while everyone else will go through your other sendergroup based on hostname or DNS/SBRS matching.

 

EG:

If the connecting mail server of gmail.com needs to be allowed without TLS, you will not put gmail.com into this sendergroup but instead use their mail server names which you can find in the message tracking.

 

Just for explanatory purposes, if gmail.com domain uses mx1.gmail.com or mail-google.smtp.com or so, adding 'gmail.com' will not work you will need to either add their entire mail server hostname such as

 

mx1.gmail.com AND mail-google.smtp.com

Or

If their servers are all like mx1.gmail.com, mx2.gmail.com, mx3.gmail.com you can simply add .gmail.com where the '.' at the front will indicate anything.gmail.com

 

I hope this helps.


Regards,

Matthew

0 Helpful
Customers Also Viewed These Support Documents