This document describes how to enable Transport Layer Security (TLS) on a listener on the Email Security Appliance (ESA).
There are no specific requirements for this document.
The information in this document is based on the ESA with any AsyncOS version.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
You must enable TLS for any listeners where you require encryption for inbound connections. You might want to enable TLS on listeners that face the Internet (public listeners), but not for listeners for internal systems (private listeners). Or, you might want to enable encryption for all listeners. By default, neither private nor public listeners allow TLS connections. You must enable TLS in a listener's Host Access Table (HAT) in order to enable TLS for either inbound (receiving) or outbound (sending) email. In addition, the mail flow policy settings for private and public listeners have TLS turned 'off' by default.
You can specify three different settings for TLS on a listener:
Setting | Meaning |
---|---|
No | TLS is not allowed for incoming connections. Connections to the listener do not require encrypted Simple Mail Transfer Protocol (SMTP) conversations. This is the default setting for all listeners you configure on the appliance. |
Preferred | TLS is allowed for incoming connections to the listener from Message Transfer Agents (MTAs). |
Required | TLS is allowed for incoming connections to the listener from MTAs, and until a STARTTLS command is received, the ESA responds with an error message to every command other than No Option (NOOP), EHLO, or QUIT. If TLS is 'Required' it means that email which the sender does not want encrypted with TLS will be refused by the ESA before it is sent, which thereby prevents it from be transmitted in the clear. |
Complete these steps:
Do you want to allow encrypted TLS connections?
1. No
2. Preferred
3. Required
[1]>3
You have chosen to enable TLS. Please use the 'certconfig' command to
ensure that there is a valid certificate configured.
Note that this example asks you to use the certconfig command in order to ensure that there is a valid certificate that can be used with the listener. If you have not created any certificates, the listener uses the demonstration certificate that is pre-installed on the appliance. You can enable TLS with the demonstration certificate for testing purposes, but it is not secure and is not recommended for general use. Use the listenerconfig > edit > certificate command in order to assign a certificate to the listener.
Once you have configured TLS, the setting is reflected in the summary of the listener in the CLI:
Name: Inboundmail
Type: Public
Interface: PublicNet (192.168.2.1/24) TCP Port 25
Protocol: SMTP
Default Domain:
Max Concurrency: 1000 (TCP Queue: 50)
Domain map: disabled
TLS: Required
Use this section to confirm that your configuration works properly.
This section provides information you can use to troubleshoot your configuration.
You can specify whether the ESA sends an alert if the TLS negotiation fails when messages are delivered to a domain that requires a TLS connection. The alert message contains the name of the destination domain for the failed TLS negotiation. The ESA sends the alert message to all recipients set to receive Warning severity level alerts for System alert types. You can manage alert recipients via the System Administration > Alerts page in the GUI (or via the alertconfig command in the CLI).
Revision | Publish Date | Comments |
---|---|---|
1.0 |
08-May-2015 |
Initial Release |