TLS without STARTTLS when TLS Support is Required

Andreas.Bartlitz · ‎04-10-2019

Hi,

we configured TLS connection as required for some destination domains in the "Destination Controls".

Unfortunately the Mailserver of a destination domain sometimes didn’t send the “250-STARTTLS” in the HELO reply (don’t know why).

Is there a way to force the ESA to try TLS regardless of the HELO answer when TLS connection is configured as required?

Best,

Andreas

Mathew Huynh · ‎08-06-2019

Hey Andreas,

EHLO is required for STARTTLS to be advertised for the ESA to use:
C680.esa.lab> telnet 10.10.10.100 25

Trying 10.10.10.100...
Connected to 10.10.10.100.
Escape character is '^]'.
220 C680.lab.test ESMTP
HELO test
250 C680.lab.test
^]
telnet> q
Connection closed.
C680.esa.lab> telnet 10.10.10.100 25

Trying 10.10.10.100...
Connected to 10.10.10.100.
Escape character is '^]'.
220 C680.lab.test ESMTP
EHLO test
250-C680.lab.test
250-8BITMIME
250-SIZE 10485760
250 STARTTLS
^]
telnet> q
Connection closed.

If the receiving mail server does not offer STARTTLS at all - then the ESA would not run the command. While you can still force it manually via SMTP conversation telnet; devices following RFC (like the ESA) will not force a command if it was not using EHLO extension.

Regards,
Mathew

TLS without STARTTLS when TLS Support is Required

ISE - O que precisamos saber sobre TLS

ISE - What we need to know about TLS

回复： Configuring SYSLOG TLS on Catalyst 9000

配置EAP-TLS 在ME和ISE【原创翻译】

AnyConnect DTLS vs TLS