cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1979
Views
0
Helpful
11
Replies

TLS from Postini Business vendor

jwitkow11
Level 1
Level 1

This may be very simple to do but haven't configured Ironport appliances before. I need to allow TLS from a postini business

partner. Should I be configuring a new listener? Or can I add the vendor's domains to the current incoming mail listener and assign a certificate? Trying to find some configuration examples, GUI or CLI but haven't found anything yet.

11 Replies 11

robertrenner
Level 1
Level 1

Hi,

just configure a Sendergroup for the sender servers (or their namespace) and assign a policy where you enable tls (preferred/required/prefered-verify/required-verify) for them without the verify option this should work also with your selfsigned cert's.

\\Rob

Any example of how to do that? May sound ignorant but I haven't worked

with these and have inherited them as a senior guy left,

Jeff Witkowski

Network Engineer

AAA Life Insurance Company

Tel: 734-779-2033

robertrenner

12/16/2010 01:59 AM

Please respond to

"cisco-support@sgaur.hosted.jivesoftware.com"

To

Jeff Witkowski

cc

Subject

New message: "TLS from Postini Business vendor"

Jeff Witkowski,

A new message was posted in the Discussion thread "TLS from Postini

Business vendor":

https://supportforums.cisco.com/message/3250175#3250175

Author : Robert Renner

Profile : https://supportforums.cisco.com/people/robertrenner

Message:

Hey Jeff,

just have a look at the IronPort KB Article #323.

i've just sent you a short mail which may help's a bit

greetz, Rob

Hi Jeff,

Rob has you on the right path here.  Not sure if you have done this yet.

How do I enable TLS encryption?

Transport Layer Security (TLS) is an  improved version of the Secure Socket Layer (SSL)  technology. It is a  widely used mechanism for encrypting SMTP conversations over the  Internet. IronPort AsyncOS supports the STARTTLS extension of SMTP  (Secure SMTP over TLS) as described in RFC 2487.

You must enable  TLS for any listeners where you require encryption. You may want to  enable TLS on listeners facing the Internet (public listeners), but not  for listeners for internal systems (private listeners). Or, you may want  to enable encryption for all  listeners. By default, neither private  nor public listeners allow TLS connections. You must enable TLS in a  listener’s HAT to enable TLS for either inbound (receiving) or outbound  (sending) email. In addition, the mail flow policy settings for private  and public listeners have TLS turned 'off' by default.

For examples of TLS log messages see article 388.

Enabling TLS on a Listener

You can specify 3 different settings for TLS on a listener:

  1. No  - TLS is not allowed for incoming connections. Connections to the  listener will not require encrypted SMTP conversations. This is the  default setting for all listeners you configure on the appliance.
  2. Preferred - TLS is allowed for incoming connections to the listener from MTAs.
  3. Required  - TLS is allowed for incoming connections to the listener from MTAs,  and until a STARTTLS command is received, the IronPort appliance  responds with an error message to every command other than NOOP, EHLO,  or QUIT. “Requiring” TLS means that email which the sender is not  willing to encrypt with TLS will be refused by the IronPort appliance  before it is sent, thereby preventing it from be transmitted in the  clear.

To enable TLS on a HAT mail flow policy for a listener via the GUI, follow these steps:

  1. From  the Mail Flow Policies page, choose a listener whose policies you want  to modify, and then click the link for the name of policy to edit. (You  can also edit the Default Policy  Parameters.) The Edit Mail Flow  Policies page is displayed.
  2. In the “Encryption and Authentication” section, for the “Use TLS:” field, choose the level of TLS you want for the listener.
  3. Click Submit.
  4. Click the Commit Changes button, add a optional comment if necessary, and then click Commit Changes to save the changes.

The mail flow policy for the listener is updated with the TLS setting you chose.

To enable TLS on a listener via the CLI, follow these steps:

  1. Use the listenerconfig -> edit command to choose a listener you want to configure.
  2. Use the hostaccess -> default command to edit the listener’s default HAT settings.
  3. Change the TLS setting by entering one of the following choices when you are prompted with the following questions:

Do you want to allow encrypted TLS connections?

1. No

2. Preferred

3. Required

[1]>3


4.   Issue the commit command to enable the change.

Once you have configured TLS, the setting will be reflected in the summary of the listener in the CLI. For example:


Name: Inboundmail

Type: Public

Interface: PublicNet (192.168.2.1/24) TCP Port 25

Protocol: SMTP

Default Domain:

Max Concurrency: 1000 (TCP Queue: 50)

Domain map: disabled

TLS: Required

For more information about enabling TLS on a listener's HAT, see the AsyncOS Advanced User Guide on the IronPort Support Portal.

Christopher C Smith

CSE

Cisco IronPort Customer Support

Great conversation on TLS.  Not trying to hijack the thread but have a relating question so that I would post it here.

How does the appliance pick which variant of TLS is used?

I see our appliances successfully using RC4-SHA, RC4-MD5, DHE-RSA-AES256-SHA, etc. and just wondering how the decision is made.

Thanks all,

Jason

Hey Jason,

i'm not from Customer Support , but as far as i know, the appliance handles out the encryption algorithm with the partner on the other side.

greetz,
Rob

Hi Jason,

Rob is correct that algorithms are chosen based on the TLS handshake between the client and server (sending MTA and IronPort). You can certainly limit the algorithms that IronPort can advertise during the handshake via "sslconfig" command, this lists all the encryption/hash algorithms that are used for each communication.

Best

Kishore

Thanks for the input Robert and Kishore.

Jason Meyer
Level 1
Level 1

OK, one more question, does ASYNC try to negotiate the strongest encryption first and work its way down to a weaker cypher or work from weakest to strongest?

Thanks!

Jason,

If you have multiple ciphers defined that would be the case however if your asking this in relation to postini it appears based on the data I have on hand, that they choose the highest available cipher thus we have a specific article covering this type of senario. I have not tested this and the postini documentation may have more explicit details but I do know they start with the highest available. If that fails for some reason it would be logical to try the next highest cipher in line. That would mean of course that multiple ciphers have to be defined and available. I would however still recommend on consulting postini documentation to verify the behavior on their side to confirm if this is explicit or not.

In order for a IronPort and Postini connection to operate TLS, Postini will always choose the hgihest available cipher.

Solution:

By default the IronPort uses all installed cipher sets.  Because Postini  will always choose the highest available cipher set available.  To reduce the CPU load on an IronPort it will be necessary to restrict the ciphers used by the IronPort when utilizing the encryption (TLS) subsystem.

In the example below we are changing the Inbound TLS cipher set to use only "RC4-SHA:RC4-MD5" which are 128bit ciphers

System.com> sslconfig

sslconfig settings:
   GUI HTTPS method:  sslv3tlsv1
   GUI HTTPS ciphers: RC4-SHA:RC4-MD5:ALL
   Inbound SMTP method:  sslv3tlsv1
   Inbound SMTP ciphers: RC4-SHA:RC4-MD5:ALL
   Outbound SMTP method:  sslv3tlsv1
   Outbound SMTP ciphers: RC4-SHA:RC4-MD5:ALL

Choose the operation you want to perform:
- GUI - Edit GUI HTTPS ssl settings.
- INBOUND - Edit inbound SMTP ssl settings.
- OUTBOUND - Edit outbound SMTP ssl settings.
- VERIFY - Verify and show ssl cipher list.
[]> inbound

Enter the inbound SMTP ssl method you want to use.
1. SSL v2.
2. SSL v3
3. TLS v1
4. SSL v2 and v3
5. SSL v3 and TLS v1
6. SSL v2, v3 and TLS v1
[5]>  enter

Enter the inbound SMTP ssl cipher you want to use.
[RC4-SHA:RC4-MD5:ALL]> RC4-SHA:RC4-MD5 (Note the ALL is removed)

sslconfig settings:
   GUI HTTPS method:  sslv3tlsv1
   GUI HTTPS ciphers: RC4-SHA:RC4-MD5:ALL
   Inbound SMTP method:  sslv3tlsv1
   Inbound SMTP ciphers: RC4-SHA:RC4-MD5
   Outbound SMTP method:  sslv3tlsv1
   Outbound SMTP ciphers: RC4-SHA:RC4-MD5:ALL

Choose the operation you want to perform:
- GUI - Edit GUI HTTPS ssl settings.
- INBOUND - Edit inbound SMTP ssl settings.
- OUTBOUND - Edit outbound SMTP ssl settings.
- VERIFY - Verify and show ssl cipher list.
[]>

System.com> commit

Please enter some comments describing your changes:
[]> Limited TLS ciphers to only 128bit ciphers

Changes committed: Wed Mar 11 20:12:04 2009 UTC

Additionally here are the Postini supported ciphers:

bf-cbc             Blowfish in CBC mode
  bf                 Alias for bf-cbc
  bf-cfb             Blowfish in CFB mode
  bf-ecb             Blowfish in ECB mode
  bf-ofb             Blowfish in OFB mode

  cast-cbc           CAST in CBC mode
  cast               Alias for cast-cbc
  cast5-cbc          CAST5 in CBC mode
  cast5-cfb          CAST5 in CFB mode
  cast5-ecb          CAST5 in ECB mode
  cast5-ofb          CAST5 in OFB mode

  des-cbc            DES in CBC mode
  des                Alias for des-cbc
  des-cfb            DES in CBC mode
  des-ofb            DES in OFB mode
  des-ecb            DES in ECB mode
  des-ede-cbc        Two key triple DES EDE in CBC mode
  des-ede            Two key triple DES EDE in ECB mode
  des-ede-cfb        Two key triple DES EDE in CFB mode
  des-ede-ofb        Two key triple DES EDE in OFB mode

  des-ede3-cbc       Three key triple DES EDE in CBC mode
  des-ede3           Three key triple DES EDE in ECB mode
  des3               Alias for des-ede3-cbc
  des-ede3-cfb       Three key triple DES EDE CFB mode

  des-ede3-ofb       Three key triple DES EDE in OFB mode
  desx               DESX algorithm.
  idea-cbc           IDEA algorithm in CBC mode
  idea               same as idea-cbc
  idea-cfb           IDEA in CFB mode
  idea-ecb           IDEA in ECB mode
  idea-ofb           IDEA in OFB mode
  rc2-cbc            128 bit RC2 in CBC mode
  rc2                Alias for rc2-cbc
  rc2-cfb            128 bit RC2 in CFB mode
  rc2-ecb            128 bit RC2 in ECB mode
  rc2-ofb            128 bit RC2 in OFB mode

  rc2-64-cbc         64 bit RC2 in CBC mode
  rc2-40-cbc         40 bit RC2 in CBC mode
  rc4                128 bit RC4
  rc4-64             64 bit RC4
  rc4-40             40 bit RC4
  rc5-cbc            RC5 cipher in CBC mode
  rc5                Alias for rc5-cbc
  rc5-cfb            RC5 cipher in CFB mode
  rc5-ecb            RC5 cipher in ECB mode
  rc5-ofb            RC5 cipher in OFB mode

  aes-[128|192|256]-cbc  128/192/256 bit AES in CBC mode
  aes-[128|192|256]      Alias for aes-[128|192|256]-cbc
  aes-[128|192|256]-cfb  128/192/256 bit AES in 128 bit CFB mode
  aes-[128|192|256]-cfb1 128/192/256 bit AES in 1 bit CFB mode

  aes-[128|192|256]-cfb8 128/192/256 bit AES in 8 bit CFB mode
  aes-[128|192|256]-ecb  128/192/256 bit AES in ECB mode
  aes-[128|192|256]-ofb  128/192/256 bit AES in OFB mode

Christopher C Smith

CSE

Cisco IronPort Customer Support

Jason Meyer
Level 1
Level 1

Thanks Chris.  My portion of the question was more directed at TLS in

general but the postini information is also very useful.

Jason

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: