09-17-2009 03:14 PM
HI,
I have some questions for TLS implemetiation on C150 serie.
I've read online support help, bust still not clear on TLS, since I'm new to hw it functions.
1. I've received from CA, among other certificates the TrustedRoot.crt. Should I use it somewhere in the ESA during certconifg installation?
2. If the receiving hosts (domains), are not supporting TLS, should they receive our TLS mails, signed and encrypted by ESA?
3. How can ESA logs tell that emails sent to some domains are being sent with TLS and how to troubleshoot these cases?
09-17-2009 11:24 PM
Answering inline below:
1. I've received from CA, among other certificates the TrustedRoot.crt. Should I use it somewhere in the ESA during certconifg installation?
[AW] Yes, depending on the format of the certs, you may need to convert to PEM format first. Once you've installed the 'identity' or 'host' certificate, you will be prompted to enter in the CA's certificate or 'trusted root'. Installation instructions:
http://tinyurl.com/y7n674
2. If the receiving hosts (domains), are not supporting TLS, should they receive our TLS mails, signed and encrypted by ESA?
[AW] You would use destination controls set to "preferred" I am thinking. The ESA contacts the other side, looks for TLS capabilities, and reverts to plaintext delivery if that is not present.
more info: http://tinyurl.com/ougz3
3. How can ESA logs tell that emails sent to some domains are being sent with TLS and how to troubleshoot these cases?
[AW] There are lots of messages containing "TLS" in the string. There is a TLS report in the GUI as well. Here are some notes on this:
http://tinyurl.com/py4tw
best of luck!
andrew
09-18-2009 07:58 AM
Thanks for your reply.
Does TLS require a different port or the usual one (25 for smtp).
I sent an email to Google (for testing), using TLS required, but it never arrived.
Iron port logs show email sent. Could it be the provider, or the required option is not supported by google?
09-18-2009 12:34 PM
Hi Ardi_80,
TLS is working on the standard TCP25 port. (Although there is an old depreciated standard that uses an alternative port, Ironport (and most other mail systems nowadays) use "plain" TCP25 communication.
If you want to know is a remote mai lserver supports TLS or not, there is a quite simple trick to determine this.
1) Log on to the CLI of your Ironport
2) Find a/the mail server of your target domain by executing "nslookup domain.name MX” (if needed)
3) Execute: “telnet mailhost.domain.name 25” (you get a connection with the remote SMTP server)
3) Enter “EHLO test”
4) The remote server shows it's capabilities/limitations. If ‘STARTTLS” is present in the list the remote server supports TLS.
good luck!
Steven
PS: I tested a few Google hosts and it seems Google is supporting TLS
09-22-2009 07:25 AM
I tested also on our gateway the EHLO test, and it didnt show any STARTTLS.
I' ve started TLS on C150 with destconfig from cli. Does the box need any restart after enabling TLS?
During certconifg it requires a private key. Is this the key generated duirng request of CA? If the certificate from provider (digicert), is in .crt format, how to convert to .pem format. Are these formats the same?
09-22-2009 11:12 PM
I tested also on our gateway the EHLO test, and it didnt show any STARTTLS.
I' ve started TLS on C150 with destconfig from cli. Does the box need any restart after enabling TLS?
[AW] No. Check your appropriate Mail Flow Policy / HAT sender group to make sure it's inheriting the expected policy. Also, make sure there are no firewalls inbetween inspecting SMTP sessions and potentially dropping 'STARTTLS' type commands.
During certconifg it requires a private key. Is this the key generated duirng request of CA? If the certificate from provider (digicert), is in .crt format, how to convert to .pem format. Are these formats the same?
[AW] Yes. It really depends but I believe '.crt' file extensions are 'pem' format. I hate all the random extensions, so I usually tell by mimetype or filetype fingerprint, or by simply opening it with a text editor and looking. The important thing is that it is 'plain text' and has '----begin' and 'end----' tags in it.
Andrew
09-25-2009 08:38 AM
In the incoming mails after enabling TLS(preferred), I see from log the following:
TLS success protocol TLSv1 cipher RC 4-MD5.
Does it mean incoming mail is encrypted? Is the cryptographic protocol listed here? Is it the right one?
09-25-2009 05:17 PM
Does it mean incoming mail is encrypted? Is the cryptographic protocol listed here? Is it the right one?
09-26-2009 02:47 PM
Does anybody have a tool or method of how to troubleshoot certificate negotiation between servers? If my certificate is not trusted between clients, is there any log saved?
09-28-2009 05:36 PM
Yes, the appliance logs this information in the mail_logs along with all other delivery or injection information depending on the direction (contains 'DCID xxxx' or 'ICID xxxx').
To get more information, you could create an 'injection debug' log subscription on your ESA to capture SMTP conversations for all incoming mail from a particular host, or 'domain debug' logs to capture things in the opposite direction.
You can also use the 'tcpdump' command 'diagnostic > network > tcpdump' in the appliance's CLI to get a standard packet capture. Otherwise, you can use an external machine or firewall to capture similar info in a normal packet dump.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide