TLS mutual authentication and Separate default SMTP routes per listener - IronPort c370

gepginogsm · ‎09-23-2014

Dear all ,

We have two IronPort C370 ESAs , formed in a cluster.

We are in a need to route e-mails targeted to a special group using TLS Required/Verify.

I have two questions :

1. Is TLS mutual authentication possible on both incoming and outgoing ?

2. Due to the nature of the TLS need the existing listener cannot be used. So I created a new listener and respective filters to decide when the recipient requirements are met. The new listener is going to be configured with a policy specifying TLS required/verify. Problem is that there is always a default SMTP route pointing specifically to a cloud service rather than directly to the Internet while for the new listener usedns is required. Is it possible to have two different default SMTP routes assigned to different listeners ?

Thanks and kind regards ,

Gino.

PS : Please bear with me and questions. I am making my first steps in Iron Port administration.

gepginogsm · ‎09-25-2014

I have made some sort of progress but I would also like to have your expert opinions.

I have came to understand that in order to present TLS mutual authentication for the incoming traffic I will just have to trust the sender(s) CA ( containing SANs etc for both the SMTP domain and the ESA itself ) while if I spread own SANs to the counterparts I will also have TLS mutual authentication on the outgoing traffic as well. Issue is that I will have to declare it in destination controls and it cannot be generic.

Is there any way to make TLS required/verify with mutual authentication the default without having to set destination contol(s) ?

As for my second question I have came to understand that the additional listener is not an aditional MTA and concequently I cannot have separate default SMTP route ( default = what is called as "ALL" in IronPort ). Still if anyone knows something more it would be really helpful if it was shared.