This document describes how to enable Transport Layer Security (TLS) on a listener on the Email Security Appliance (ESA).
There are no specific requirements for this document.
The information in this document is based on the ESA with any AsyncOS version.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
You must enable TLS for any listeners where you require encryption for inbound connections. You might want to enable TLS on listeners that face the Internet (public listeners), but not for listeners for internal systems (private listeners). Or, you might want to enable encryption for all listeners. By default, neither private nor public listeners allow TLS connections. You must enable TLS in a listener's Host Access Table (HAT) in order to enable TLS for either inbound (receiving) or outbound (sending) email. In addition, the mail flow policy settings for private and public listeners have TLS turned 'off' by default.
You can specify three different settings for TLS on a listener:
||TLS is not allowed for incoming connections. Connections to the listener do not require encrypted Simple Mail Transfer Protocol (SMTP) conversations. This is the default setting for all listeners you configure on the appliance.
||TLS is allowed for incoming connections to the listener from Message Transfer Agents (MTAs).
||TLS is allowed for incoming connections to the listener from MTAs, and until a STARTTLS command is received, the ESA responds with an error message to every command other than No Option (NOOP), EHLO, or QUIT. If TLS is 'Required' it means that email which the sender does not want encrypted with TLS will be refused by the ESA before it is sent, which thereby prevents it from be transmitted in the clear.
Enable TLS on a HAT Mail Flow Policy for a Listener via the GUI
Complete these steps:
- From the Mail Flow Policies page, choose a listener whose policies you want to modify and then click the link for the name of the policy to edit. (You can also edit the Default Policy Parameters.) The Edit Mail Flow Policies page is displayed.
- In the "Encryption and Authentication" section, for the "Use TLS:" field, choose the level of TLS you want for the listener.
- Click Submit.
- Click Commit Changes, add a optional comment if necessary, and then click Commit Changes in order to save the changes.
Enable TLS on a HAT Mail Flow Policy for a Listener via the CLI
- Use the listenerconfig > edit command in order to choose a listener you want to configure.
- Use the hostaccess > default command in order to edit the listener's default HAT settings.
- Enter one of these choices in order to change the TLS setting when you are prompted:
Do you want to allow encrypted TLS connections?
You have chosen to enable TLS. Please use the 'certconfig' command to
ensure that there is a valid certificate configured.
Note that this example asks you to use the certconfig command in order to ensure that there is a valid certificate that can be used with the listener. If you have not created any certificates, the listener uses the demonstration certificate that is pre-installed on the appliance. You can enable TLS with the demonstration certificate for testing purposes, but it is not secure and is not recommended for general use. Use the listenerconfig > edit > certificate command in order to assign a certificate to the listener.
Once you have configured TLS, the setting is reflected in the summary of the listener in the CLI:
Interface: PublicNet (192.168.2.1/24) TCP Port 25
Max Concurrency: 1000 (TCP Queue: 50)
Domain map: disabled
- Enter the commit command in order to enable the change.
Use this section to confirm that your configuration works properly.
This section provides information you can use to troubleshoot your configuration.
You can specify whether the ESA sends an alert if the TLS negotiation fails when messages are delivered to a domain that requires a TLS connection. The alert message contains the name of the destination domain for the failed TLS negotiation. The ESA sends the alert message to all recipients set to receive Warning severity level alerts for System alert types. You can manage alert recipients via the System Administration > Alerts page in the GUI (or via the alertconfig command in the CLI).