Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1472
Views
0
Helpful
1
Replies

TLS without STARTTLS when TLS Support is Required

Andreas.Bartlitz
Level 1
Level 1

‎04-10-2019 07:19 AM

Hi,

 

we configured TLS connection as required for some destination domains in the "Destination Controls".

 

Unfortunately the Mailserver of a destination domain sometimes didn’t send the “250-STARTTLS” in the HELO reply (don’t know why).

 

Is there a way to force the ESA to try TLS regardless of the HELO answer when TLS connection is configured as required?

 

Best,

Andreas

Labels:
0 Helpful
1 Reply 1

Mathew Huynh
Cisco Employee
Cisco Employee

‎08-06-2019 07:52 PM

Hey Andreas,

EHLO is required for STARTTLS to be advertised for the ESA to use:
C680.esa.lab> telnet 10.10.10.100 25

Trying 10.10.10.100...
Connected to 10.10.10.100.
Escape character is '^]'.
220 C680.lab.test ESMTP
HELO test
250 C680.lab.test
^]
telnet> q
Connection closed.
C680.esa.lab> telnet 10.10.10.100 25

Trying 10.10.10.100...
Connected to 10.10.10.100.
Escape character is '^]'.
220 C680.lab.test ESMTP
EHLO test
250-C680.lab.test
250-8BITMIME
250-SIZE 10485760
250 STARTTLS
^]
telnet> q
Connection closed.


If the receiving mail server does not offer STARTTLS at all - then the ESA would not run the command. While you can still force it manually via SMTP conversation telnet; devices following RFC (like the ESA) will not force a command if it was not using EHLO extension.

Regards,
Mathew

0 Helpful
Customers Also Viewed These Support Documents