12-15-2010 12:35 PM
This may be very simple to do but haven't configured Ironport appliances before. I need to allow TLS from a postini business
partner. Should I be configuring a new listener? Or can I add the vendor's domains to the current incoming mail listener and assign a certificate? Trying to find some configuration examples, GUI or CLI but haven't found anything yet.
12-15-2010 10:59 PM
Hi,
just configure a Sendergroup for the sender servers (or their namespace) and assign a policy where you enable tls (preferred/required/prefered-verify/required-verify) for them without the verify option this should work also with your selfsigned cert's.
12-21-2010 01:36 PM
Any example of how to do that? May sound ignorant but I haven't worked
with these and have inherited them as a senior guy left,
Jeff Witkowski
Network Engineer
AAA Life Insurance Company
Tel: 734-779-2033
robertrenner
12/16/2010 01:59 AM
Please respond to
"cisco-support@sgaur.hosted.jivesoftware.com"
To
Jeff Witkowski
cc
Subject
New message: "TLS from Postini Business vendor"
Jeff Witkowski,
A new message was posted in the Discussion thread "TLS from Postini
Business vendor":
https://supportforums.cisco.com/message/3250175#3250175
Author : Robert Renner
Profile : https://supportforums.cisco.com/people/robertrenner
Message:
12-22-2010 02:35 AM
Hey Jeff,
just have a look at the IronPort KB Article #323.
i've just sent you a short mail which may help's a bit
greetz, Rob
12-17-2010 08:42 AM
Hi Jeff,
Rob has you on the right path here. Not sure if you have done this yet.
How do I enable TLS encryption?
Transport Layer Security (TLS) is an improved version of the Secure Socket Layer (SSL) technology. It is a widely used mechanism for encrypting SMTP conversations over the Internet. IronPort AsyncOS supports the STARTTLS extension of SMTP (Secure SMTP over TLS) as described in RFC 2487.
You must enable TLS for any listeners where you require encryption. You may want to enable TLS on listeners facing the Internet (public listeners), but not for listeners for internal systems (private listeners). Or, you may want to enable encryption for all listeners. By default, neither private nor public listeners allow TLS connections. You must enable TLS in a listener’s HAT to enable TLS for either inbound (receiving) or outbound (sending) email. In addition, the mail flow policy settings for private and public listeners have TLS turned 'off' by default.
For examples of TLS log messages see article 388.
Enabling TLS on a Listener
You can specify 3 different settings for TLS on a listener:
To enable TLS on a HAT mail flow policy for a listener via the GUI, follow these steps:
The mail flow policy for the listener is updated with the TLS setting you chose.
To enable TLS on a listener via the CLI, follow these steps:
listenerconfig -> edit
command to choose a listener you want to configure.hostaccess -> default
command to edit the listener’s default HAT settings.
Do you want to allow encrypted TLS connections?
1. No
2. Preferred
3. Required
[1]>3
4. Issue the commit
command to enable the change.
Once you have configured TLS, the setting will be reflected in the summary of the listener in the CLI. For example:
Name: Inboundmail
Type: Public
Interface: PublicNet (192.168.2.1/24) TCP Port 25
Protocol: SMTP
Default Domain:
Max Concurrency: 1000 (TCP Queue: 50)
Domain map: disabled
TLS: Required
For more information about enabling TLS on a listener's HAT, see the AsyncOS Advanced User Guide on the IronPort Support Portal.
Christopher C Smith
CSE
Cisco IronPort Customer Support
12-17-2010 10:58 AM
Great conversation on TLS. Not trying to hijack the thread but have a relating question so that I would post it here.
How does the appliance pick which variant of TLS is used?
I see our appliances successfully using RC4-SHA, RC4-MD5, DHE-RSA-AES256-SHA, etc. and just wondering how the decision is made.
Thanks all,
Jason
12-20-2010 07:25 AM
Hey Jason,
i'm not from Customer Support , but as far as i know, the appliance handles out the encryption algorithm with the partner on the other side.
greetz,
Rob
12-20-2010 08:32 AM
Hi Jason,
Rob is correct that algorithms are chosen based on the TLS handshake between the client and server (sending MTA and IronPort). You can certainly limit the algorithms that IronPort can advertise during the handshake via "sslconfig" command, this lists all the encryption/hash algorithms that are used for each communication.
Best
Kishore
12-20-2010 09:05 AM
Thanks for the input Robert and Kishore.
12-22-2010 07:29 AM
OK, one more question, does ASYNC try to negotiate the strongest encryption first and work its way down to a weaker cypher or work from weakest to strongest?
Thanks!
12-27-2010 02:16 PM
Jason,
If you have multiple ciphers defined that would be the case however if your asking this in relation to postini it appears based on the data I have on hand, that they choose the highest available cipher thus we have a specific article covering this type of senario. I have not tested this and the postini documentation may have more explicit details but I do know they start with the highest available. If that fails for some reason it would be logical to try the next highest cipher in line. That would mean of course that multiple ciphers have to be defined and available. I would however still recommend on consulting postini documentation to verify the behavior on their side to confirm if this is explicit or not.
In order for a IronPort and Postini connection to operate TLS, Postini will always choose the hgihest available cipher.
By default the IronPort uses all installed cipher sets. Because Postini will always choose the highest available cipher set available. To reduce the CPU load on an IronPort it will be necessary to restrict the ciphers used by the IronPort when utilizing the encryption (TLS) subsystem.
In the example below we are changing the Inbound TLS cipher set to use only "RC4-SHA:RC4-MD5" which are 128bit ciphers
System.com> sslconfig
sslconfig settings:
GUI HTTPS method: sslv3tlsv1
GUI HTTPS ciphers: RC4-SHA:RC4-MD5:ALL
Inbound SMTP method: sslv3tlsv1
Inbound SMTP ciphers: RC4-SHA:RC4-MD5:ALL
Outbound SMTP method: sslv3tlsv1
Outbound SMTP ciphers: RC4-SHA:RC4-MD5:ALL
Choose the operation you want to perform:
- GUI - Edit GUI HTTPS ssl settings.
- INBOUND - Edit inbound SMTP ssl settings.
- OUTBOUND - Edit outbound SMTP ssl settings.
- VERIFY - Verify and show ssl cipher list.
[]> inbound
Enter the inbound SMTP ssl method you want to use.
1. SSL v2.
2. SSL v3
3. TLS v1
4. SSL v2 and v3
5. SSL v3 and TLS v1
6. SSL v2, v3 and TLS v1
[5]> enter
Enter the inbound SMTP ssl cipher you want to use.
[RC4-SHA:RC4-MD5:ALL]> RC4-SHA:RC4-MD5 (Note the ALL is removed)
sslconfig settings:
GUI HTTPS method: sslv3tlsv1
GUI HTTPS ciphers: RC4-SHA:RC4-MD5:ALL
Inbound SMTP method: sslv3tlsv1
Inbound SMTP ciphers: RC4-SHA:RC4-MD5
Outbound SMTP method: sslv3tlsv1
Outbound SMTP ciphers: RC4-SHA:RC4-MD5:ALL
Choose the operation you want to perform:
- GUI - Edit GUI HTTPS ssl settings.
- INBOUND - Edit inbound SMTP ssl settings.
- OUTBOUND - Edit outbound SMTP ssl settings.
- VERIFY - Verify and show ssl cipher list.
[]>
System.com> commit
Please enter some comments describing your changes:
[]> Limited TLS ciphers to only 128bit ciphers
Changes committed: Wed Mar 11 20:12:04 2009 UTC
Additionally here are the Postini supported ciphers:
bf-cbc Blowfish in CBC mode
bf Alias for bf-cbc
bf-cfb Blowfish in CFB mode
bf-ecb Blowfish in ECB mode
bf-ofb Blowfish in OFB mode
cast-cbc CAST in CBC mode
cast Alias for cast-cbc
cast5-cbc CAST5 in CBC mode
cast5-cfb CAST5 in CFB mode
cast5-ecb CAST5 in ECB mode
cast5-ofb CAST5 in OFB mode
des-cbc DES in CBC mode
des Alias for des-cbc
des-cfb DES in CBC mode
des-ofb DES in OFB mode
des-ecb DES in ECB mode
des-ede-cbc Two key triple DES EDE in CBC mode
des-ede Two key triple DES EDE in ECB mode
des-ede-cfb Two key triple DES EDE in CFB mode
des-ede-ofb Two key triple DES EDE in OFB mode
des-ede3-cbc Three key triple DES EDE in CBC mode
des-ede3 Three key triple DES EDE in ECB mode
des3 Alias for des-ede3-cbc
des-ede3-cfb Three key triple DES EDE CFB mode
des-ede3-ofb Three key triple DES EDE in OFB mode
desx DESX algorithm.
idea-cbc IDEA algorithm in CBC mode
idea same as idea-cbc
idea-cfb IDEA in CFB mode
idea-ecb IDEA in ECB mode
idea-ofb IDEA in OFB mode
rc2-cbc 128 bit RC2 in CBC mode
rc2 Alias for rc2-cbc
rc2-cfb 128 bit RC2 in CFB mode
rc2-ecb 128 bit RC2 in ECB mode
rc2-ofb 128 bit RC2 in OFB mode
rc2-64-cbc 64 bit RC2 in CBC mode
rc2-40-cbc 40 bit RC2 in CBC mode
rc4 128 bit RC4
rc4-64 64 bit RC4
rc4-40 40 bit RC4
rc5-cbc RC5 cipher in CBC mode
rc5 Alias for rc5-cbc
rc5-cfb RC5 cipher in CFB mode
rc5-ecb RC5 cipher in ECB mode
rc5-ofb RC5 cipher in OFB mode
aes-[128|192|256]-cbc 128/192/256 bit AES in CBC mode
aes-[128|192|256] Alias for aes-[128|192|256]-cbc
aes-[128|192|256]-cfb 128/192/256 bit AES in 128 bit CFB mode
aes-[128|192|256]-cfb1 128/192/256 bit AES in 1 bit CFB mode
aes-[128|192|256]-cfb8 128/192/256 bit AES in 8 bit CFB mode
aes-[128|192|256]-ecb 128/192/256 bit AES in ECB mode
aes-[128|192|256]-ofb 128/192/256 bit AES in OFB mode
Christopher C Smith
CSE
Cisco IronPort Customer Support
12-30-2010 11:03 AM
Thanks Chris. My portion of the question was more directed at TLS in
general but the postini information is also very useful.
Jason
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide