Configure TLS for Inbound Connection Encryption on an ESA Listener

Available Languages

Updated:May 8, 2015
Document ID:118954

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Introduction

This document describes how to enable Transport Layer Security (TLS) on a listener on the Email Security Appliance (ESA).

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

The information in this document is based on the ESA with any AsyncOS version.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Background Information

You must enable TLS for any listeners where you require encryption for inbound connections. You might want to enable TLS on listeners that face the Internet (public listeners), but not for listeners for internal systems (private listeners). Or, you might want to enable encryption for all listeners. By default, neither private nor public listeners allow TLS connections. You must enable TLS in a listener's Host Access Table (HAT) in order to enable TLS for either inbound (receiving) or outbound (sending) email. In addition, the mail flow policy settings for private and public listeners have TLS turned 'off' by default.

Configure

You can specify three different settings for TLS on a listener:

Setting Meaning
No TLS is not allowed for incoming connections. Connections to the listener do not require encrypted Simple Mail Transfer Protocol (SMTP) conversations. This is the default setting for all listeners you configure on the appliance.
Preferred TLS is allowed for incoming connections to the listener from Message Transfer Agents (MTAs).
Required TLS is allowed for incoming connections to the listener from MTAs, and until a STARTTLS command is received, the ESA responds with an error message to every command other than No Option (NOOP), EHLO, or QUIT. If TLS is 'Required' it means that email which the sender does not want encrypted with TLS will be refused by the ESA before it is sent, which thereby prevents it from be transmitted in the clear.

Enable TLS on a HAT Mail Flow Policy for a Listener via the GUI

Complete these steps:

  1. From the Mail Flow Policies page, choose a listener whose policies you want to modify and then click the link for the name of the policy to edit. (You can also edit the Default Policy Parameters.) The Edit Mail Flow Policies page is displayed.
  2. In the "Encryption and Authentication" section, for the "Use TLS:" field, choose the level of TLS you want for the listener.
  3. Click Submit.
  4. Click Commit Changes, add a optional comment if necessary, and then click Commit Changes in order to save the changes.

Note: You can assign a specific certificate for TLS connections to individual public listeners when you create a listener.

Enable TLS on a HAT Mail Flow Policy for a Listener via the CLI

  1. Use the listenerconfig > edit command in order to choose a listener you want to configure.
  2. Use the hostaccess > default command in order to edit the listener's default HAT settings.
  3. Enter one of these choices in order to change the TLS setting when you are prompted:
    Do you want to allow encrypted TLS connections?

        1. No
        2. Preferred
        3. Required
       [1]>3

    You have chosen to enable TLS. Please use the 'certconfig' command to
     ensure that there is a valid certificate configured.

    Note that this example asks you to use the certconfig command in order to ensure that there is a valid certificate that can be used with the listener. If you have not created any certificates, the listener uses the demonstration certificate that is pre-installed on the appliance. You can enable TLS with the demonstration certificate for testing purposes, but it is not secure and is not recommended for general use. Use the listenerconfig > edit > certificate command in order to assign a certificate to the listener.

    Once you have configured TLS, the setting is reflected in the summary of the listener in the CLI:

    Name: Inboundmail
    Type: Public
    Interface: PublicNet (192.168.2.1/24) TCP Port 25
    Protocol: SMTP
    Default Domain:
    Max Concurrency: 1000 (TCP Queue: 50)
    Domain map: disabled
    TLS: Required
  4. Enter the commit command in order to enable the change.

Verify

Use this section to confirm that your configuration works properly.

Troubleshoot

This section provides information you can use to troubleshoot your configuration.

You can specify whether the ESA sends an alert if the TLS negotiation fails when messages are delivered to a domain that requires a TLS connection. The alert message contains the name of the destination domain for the failed TLS negotiation. The ESA sends the alert message to all recipients set to receive Warning severity level alerts for System alert types. You can manage alert recipients via the System Administration > Alerts page in the GUI (or via the alertconfig command in the CLI).

Related Information

Revision History

Revision Publish Date Comments
1.0
08-May-2015
Initial Release
TAC Authored

Contributed by Cisco Engineers

  • Enrico Werner
    Cisco TAC Engineer.

Was this Document Helpful?

FeedbackFeedback

Contact Cisco

This Document Applies to These Products