cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2162
Views
0
Helpful
4
Replies

TLS configuring

The-Messenger
Level 1
Level 1

I need to configure tls on my c360.  At this time I have only one customer that is requesting tls so I thought I should create a policy specifically for tls and add others, if any request it, later. I added checktls.com for testing. Currently I am able to receive tls from checktls but not another domain, I want to verify my incoming settings.  I would like to know how to set tls up for outgoing.

Created self-signed cert in the cli.

created a Mail flow policy, enabled (preferred tls),

Created a Sender group added checktls.com

Set tls mail flow incoming to the first in order

I checked in the GUI Monitor / TLS Connections I see checktls.com in the preferred / successful column. 5 connections, 1 message all successful.   All looks good.

I added another domain – othertls.com the same way.  Othertls.com is also in the gui log as successful. 

Mail admin at othertls.com says tls is failing.

____________________________________________________________________________________

First question – am I missing something or is the mail domain at othertls.com missing something?

______________________________________________________________________________________

Second Question – how do I config for outgoing tls?

I have an outgoing mail flow policy and sender group the same way but I don’t see any out going tls mail.

________________________________________________________________________________________

Third question – In the CLI when I type encryption status, I must go to machine mode and I get PXE encryption is not enabled for this mode.

1 Accepted Solution

Accepted Solutions

viahmed
Cisco Employee
Cisco Employee

Greetings,

Configure TLS outbound:

To active TLS for outbound sessions, connect to the Web GUI and browse to Mail Policies > Destination Controls:

Follow these steps:

  1. Browse to Mail Policies > Destination Controls
  2. Click on 'Add Destination...'
  3. Add the destination domain i.e. domain.com
  4. Under the TLS Support section enable the type of TLS your company policies require.
  5. Submit and commit changes

============================


To verify your incoming TLS is working, please check the mail logs for perticular domain.

Below are examples of successful and failed TLS connections:

Successful TLS connection from remote host (Receiving):

Wed  Jul 20 19:47:40 2005 Info: New smtp ICID 282204970 interface  mail.example.com   (1.2.3.4) address 2.3.4.5 reverse dns host unknown  verified no
Wed Jul 20 19:47:40 2005 Info: ICID 282204970 ACCEPT SG None match SBRS None
Wed Jul 20 19:47:40 2005 Info: ICID 282204970 TLS success
Wed Jul 20 19:47:40 2005 Info: Start MID 200257070 ICID 282204970

Failed TLS connection from remote host (Receiving):

Tue  Jun 28 19:08:49 2005 Info: New SMTP ICID 282204971 interface Management  (1.2.3.4) address 2.3.4.5 reverse dns host unknown verified no
Tue Jun 28 19:08:49 2005 Info: ICID 282204971 ACCEPT SG None match SBRS None
Tue Jun 28 19:08:49 2005 Info: ICID 282204971 TLS failed
Tue Jun 28 19:08:49 2005 Info: ICID 282204971 lost
Tue Jun 28 19:08:49 2005 Info: ICID 282204971 TLS was required but remote host did not initiate it
Tue Jun 28 19:08:49 2005 Info: ICID 282204971 close

===================

I am not clear about your third question, encryption status is not IronPort command line. Please explain what exactly you want to check and which device.

Cheers,

Viquar Ahmed

Customer Support Engineer

View solution in original post

4 Replies 4

viahmed
Cisco Employee
Cisco Employee

Greetings,

Configure TLS outbound:

To active TLS for outbound sessions, connect to the Web GUI and browse to Mail Policies > Destination Controls:

Follow these steps:

  1. Browse to Mail Policies > Destination Controls
  2. Click on 'Add Destination...'
  3. Add the destination domain i.e. domain.com
  4. Under the TLS Support section enable the type of TLS your company policies require.
  5. Submit and commit changes

============================


To verify your incoming TLS is working, please check the mail logs for perticular domain.

Below are examples of successful and failed TLS connections:

Successful TLS connection from remote host (Receiving):

Wed  Jul 20 19:47:40 2005 Info: New smtp ICID 282204970 interface  mail.example.com   (1.2.3.4) address 2.3.4.5 reverse dns host unknown  verified no
Wed Jul 20 19:47:40 2005 Info: ICID 282204970 ACCEPT SG None match SBRS None
Wed Jul 20 19:47:40 2005 Info: ICID 282204970 TLS success
Wed Jul 20 19:47:40 2005 Info: Start MID 200257070 ICID 282204970

Failed TLS connection from remote host (Receiving):

Tue  Jun 28 19:08:49 2005 Info: New SMTP ICID 282204971 interface Management  (1.2.3.4) address 2.3.4.5 reverse dns host unknown verified no
Tue Jun 28 19:08:49 2005 Info: ICID 282204971 ACCEPT SG None match SBRS None
Tue Jun 28 19:08:49 2005 Info: ICID 282204971 TLS failed
Tue Jun 28 19:08:49 2005 Info: ICID 282204971 lost
Tue Jun 28 19:08:49 2005 Info: ICID 282204971 TLS was required but remote host did not initiate it
Tue Jun 28 19:08:49 2005 Info: ICID 282204971 close

===================

I am not clear about your third question, encryption status is not IronPort command line. Please explain what exactly you want to check and which device.

Cheers,

Viquar Ahmed

Customer Support Engineer

So, a separate, individual, destination control must be created for each domain with which

we need to encrypt email transmission?   

So, an organization requiring encryption, that has 1000 customers, would need 1000 destination controls?

Encryptionstatus is a command.   If I type Encr and press tab I get "encryptionconfig, encryptionstatus, encryptionupdate"

When I type encryptionstatus, I get "PXE encryption is not enabled for this mode".  I changed modes to cluster and group and get the same result.  I don't think this is referring to tls encryption but wondered what it is referring to.

thanks!

You need to configure every destination domain separately if dont want to follow the default profile at destination control.

Are you issuing these commands on email security device (c series or x series)? Are you using any encryption device alone with ESA (eg postx). I am not familiar with encryption device but pretty sure it has nothing to do with TLS.

Cheers,

Viquar

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: