Transport Layer Security (TLS) Comprehensive Setup Guide

About this Article This article is geared toward Cisco IronPort ESA administrators that have to enable or are thinking about enabling TLS on their ESA. After reading it, you will be able to generate a CSR to be signed by a Certificate Authority, back up your new certificate and convert it to PEM format. Once in PEM format, you will add it to the Cisco IronPort ESA. Finally, with the new certificate installed, you can enable inbound and outbound TLS. Article Topics: Cisco IronPorts TLS implementation How to generate a certificate signing request How to convert a certificate plus its private key into PEM format How to install certificates on a Cisco IronPort Email Security Appliance (ESA) How to activate TLS on a Cisco IronPort How to configure TLS for ALL or selected inbound SMTP sessions How to configure TLS for ALL or selected outbound SMTP sessions How to add multiple domain entries to the Destination Control Table simultaneously How to find logs that show successful TLS communication for inbound and outbound sessions How to enable some kind of notifications for when Required TLS connections fail

About IronPort's TLS implementation The TLS implementation in the Cisco IronPort AsyncOS operating system provides privacy for point-to-point transmission of emails through encryption. It allows you to import a certificate and private key from a Certificate Authority (CA) service, or use a self-signed certificate. The Cisco IronPort AsyncOS operating system supports the STARTTLS extension to SMTP (Secure SMTP over TLS). TLS is described in detail in RFC 3207

How do I generate a certificate signing request (CSR)? Since AsyncOS 7.1.1 you can generate a CSR directly on a Cisco IronPort ESA, for details please look at knowledge article 1634. For appliances running AsyncOS before version 7.1.1, there are different ways of generating a CSR using third-party applications. This Knowledge Base article references software and tools, which are not maintained or supported by Cisco IronPort. The information is provided as a courtesy for your convenience. For further assistance, please contact the appropriate software vendors. You must have a working installation of the OpenSSL software and be able to execute OpenSSL from the command line. The following article uses OpenSSL to generate a CSR to give to a Certificate Authority: Knowledge Article 790 The OpenSSL software for Microsoft Windows can be obtained from Shining Light Productions: http://www.slproweb.com/products/Win32OpenSSL.html The following article describes how to generate a CSR using Microsoft Certificate Wizard. Microsoft KB 228821. How do I convert my certificate plus private key to PEM format?

You will need OpenSSL to convert the cert/key combination to PEM format: http://www.slproweb.com/products/Win32OpenSSL.html SSL x509 certificates and RSA keys can be stored using a number of different formats. Two commonly used formats by Certificate Authorities are DER (a binary format used primarily by Java platforms) and PEM (a base64 representation of DER with header and footer information which is used primarily by UNIX platforms). Cisco IronPorts are Unix machines; hence it uses the PEM format. Once your certificate is returned to you from the CA that signed it, you'll need to add it into the web server that generated the CSR. After following Microsoft's KB 228821, follow Microsoft's KB 232136 to backup your new Cert and Key to a PKCS#12 format. The backup process automatically adds the PFX extension for you. Now you will need a copy of OpenSSL on Windows to execute OpenSSL from the command line; or if you have a Unix machine, it comes built in. Assumptions made: 1. 2. 3. You have a backup file called <certificate_backup_file.pfx> of your certificate and key that was generated by Microsoft KB 232136. You have a certificate called <MYCERT.cer> sent to you by the signing CA. OpenSSL has been installed on your computer or you have a Unix machine.

To convert your PFX or CER to PEM containing both private key and certificates follow these steps. At a command prompt, type: 1. To convert a PKCS#12 (.pfx .p12) to PEM containing both private key and certificates openssl pkcs12 -in Certificate_backup_file.pfx -out My_Cert_key.pem -nodes add -nocerts for private key only; add -nokeys for certificates only The above command creates a file called My_Cert_key.pem in your current working directory that is in PEM format. You can open this file with a basic text editor. The file has the certificate and key that will be used with the command certconfig on the Cisco IronPort appliance. To convert the certificate from DER to PEM openssl x509 -inform der -in MYCERT.cer -out MYCERT.pem

2.

How do I install certificates on a Cisco IronPort Email Security Appliance (ESA)? With your certificate and key in PEM format, you can now use the command certconfig to add your certificate to the Cisco IronPort appliance. Follow Knowledge article 674 to accomplish this step.

How to activate TLS on an IronPort TLS on a Cisco IronPort appliance is directional. You can either activate it only for a select set of domains coming to your Cisco IronPort, or just for a domain that you deliver emails to.

How do I configure TLS for ALL or selected inbound SMTP sessions?

To activate TLS for inbound sessions, connect to the Web GUI and choose Mail Policies > Mail Flow Policies for your inbound listener. Follow these steps: 1. 2. From the Mail Flow Policies page, choose a listener whose policies you want to modify, and then click the link for the name of policy to edit. The Edit Mail Flow Policies page is displayed. Under the security features, in the Encryption and Authentication section, alter the Use TLS: field, choose the level of TLS you want for the listener.

Your options are: 1. 2. Off Preferred: TLS can negotiate from the remote MTA to the Cisco IronPort appliance. However, if the remote MTA does not negotiate (prior to receiving a 220 response), the SMTP transaction will continue "in the clear" (not encrypted). No attempt is made to verify if the certificate originates from a trusted certificate authority. If an error occurs after the 220 response is received the SMTP transaction does not fall back to clear text. Required: TLS must be negotiated from the remote MTA to the Cisco IronPort appliance. No attempt is made to verify the domain's certificate. If the negotiation fails, no email is sent through the connection. If the negotiation succeeds, the mail is delivered via an encrypted session. Click Submit. Click the Commit Changes button, add an optional comment if necessary, and then click Commit Changes to save the changes. The mail flow policy for the listener is updated with the TLS setting you chose.

3.

4. 5.

To activate TLS for inbound sessions coming from a select set of domain(s): 1. 2. 3. Connect to the Web GUI and choose Mail Policies > HAT Overview > add your sender to the appropriate Sender Group. Now edit the TLS settings of the mail flow policy associated with the Sender Group modified in the previous step. Click the Commit Changes button, add an optional comment if necessary, and then click Commit Changes to save the changes. The mail flow policy for the Sender Group is updated with the TLS setting you chose.

How do I configure TLS for ALL or selected outbound SMTP sessions? To active TLS for outbound sessions, connect to the Web GUI and browse to Mail Policies > Destination Controls: Follow these steps: 1. 2. 3. 4. Browse to Mail Policies > Destination Controls Click on 'Add Destination...' Add the destination domain i.e. domain.com Under the TLS Support section enable the type of TLS your company policies require.

Your options are: 1. 2. None: TLS is not negotiated for outgoing connections from the interface to the MTA for the domain. Preferred: TLS is negotiated from the Cisco IronPort appliance interface to the MTA(s) for the domain. However, if the TLS negotiation fails (prior to receiving a 220 response), the SMTP transaction will continue "in the clear" (not encrypted). No attempt is made to verify if the certificate originates from a trusted certificate authority. If an error occurs after the 220 response is received the SMTP transaction does not fall back to clear text. Required: TLS is negotiated from the Cisco IronPort appliance interface to MTA(s) for the domain. No attempt is made to verify the domain's certificate. If the negotiation fails, no email is sent through the connection. If the negotiation succeeds, the mail is delivered via an encrypted session. Preferred - Verify: TLS is negotiated from the Cisco IronPort appliance to the MTA(s) for the domain. The appliance attempts to verify the domain's certificate. Three outcomes are possible: 1. TLS is negotiated and the certificate is verified. The mail is delivered via an encrypted session.

3.

4.

5.

TLS is negotiated, but the certificate is not verified. The mail is delivered via an encrypted session. No TLS connection is made and, subsequently the certificate is not verified. The email message is delivered in plain text. Required - Verify: TLS is negotiated from the Cisco IronPort appliance to the MTA(s) for the domain. Verification of the domain's certificate is required. Three outcomes are possible: 1. TLS connection is negotiated and the certificate is verified. The email message is delivered via an encrypted session. 2. TLS connection is negotiated but the certificate is not verified by a trusted CA. The mail is not delivered. 3. TLS connection is not negotiated. The mail is not delivered.

2. 3.

How do I add multiple domain entries to the Destination Control table simultaneously? Currently this is not supported under any AsyncOS below version 7.0. However, at version 7.0 or higher, the batch feature of the destconfig command can be used to add multiple domain entries into the destination control table.

How do I find logs that show successful TLS communication for inbound and outbound sessions? TLS connections are recorded in the mail logs along with other significant actions related to messages such as filter actions, anti-virus and anti-spam verdicts, and delivery attempts. If there is a successful TLS connection, there will be a TLS success entry in the mail logs. Likewise, a failed TLS connection will produce a TLS failed entry. If a message does not have an associated TLS entry in the log file, that message was not delivered over a TLS connection. To understand the mail logs, review Knowledge Article 574. Below are examples of successful and failed TLS connections: Successful TLS connection from remote host (Receiving): Wed Jul 20 19:47:40 2005 Info: New smtp ICID 282204970 interface mail.example.com (10.2.3.4) address 10.3.4.5 reverse dns host unknown verified no Wed Jul 20 19:47:40 2005 Info: ICID 282204970 ACCEPT SG None match SBRS None Wed Jul 20 19:47:40 2005 Info: ICID 282204970 TLS success Wed Jul 20 19:47:40 2005 Info: Start MID 200257070 ICID 282204970 Failed TLS connection from remote host (Receiving): Tue Jun 28 19:08:49 2005 Info: New SMTP ICID 282204971 interface Management (10.2.3.4) address 10.3.4.5 reverse dns host unknown verified no Tue Jun 28 19:08:49 2005 Info: ICID 282204971 ACCEPT SG None match SBRS None Tue Jun 28 19:08:49 2005 Info: ICID 282204971 TLS failed Tue Jun 28 19:08:49 2005 Info: ICID 282204971 lost Tue Jun 28 19:08:49 2005 Info: ICID 282204971 TLS was required but remote host did not initiate it Tue Jun 28 19:08:49 2005 Info: ICID 282204971 close Successful TLS connection to remote host (Delivery): Tue Jun 28 19:28:31 2005 Info: New SMTP DCID 834 interface 10.10.10.100 address 192.168.1.25 port 25 Tue Jun 28 19:28:31 2005 Info: DCID 834 TLS success protocol TLSv1 cipher DHE-RSA-AES256-SHA Tue Jun 28 19:28:31 2005 Info: Delivery start DCID 834 MID 1074 to RID [0] Failed TLS connection to remote host (Delivery): Fri Jul 22 22:00:05 2005 Info: DCID 2386070 IP 10.3.4.5 TLS failed: STARTTLS unexpected response

How do I enable some kind of notifications for when my Required TLS connections fail? You can specify whether the Cisco IronPort appliance sends an alert if the TLS negotiation fails when delivering messages to a domain that requires a TLS connection. The alert message contains the name of the destination domain for the failed TLS negotiation. The Cisco IronPort appliance sends the alert message to all recipients set to receive warning severity level alerts for System alert types. To enable TLS connection alerts, browse to the Web console > Destination Controls and click Edit Global Settings on the Destination Controls page or via the CLI type destconfig -> setup subcommand. This is a global setting so it cant be set on a per-domain basis. The Cisco IronPort appliance will note in the mail logs instances when TLS is required for a domain but could not be used. The mail logs will be updated when any of the following conditions are met: The remote MTA does not support ESMTP (for example, it did not understand the EHLO command from the IronPort appliance). The remote MTA supports ESMTP but STARTTLS was not in the list of extensions it advertised in its EHLO response. The remote MTA advertised the STARTTLS extension but responded with an error when the IronPort appliance sent the STARTTLS command.

References 1. 2. IronPort ESA Advance User Guide. ENCRYPTING SMTP CONVERSATIONS USING TLS IronPorts Web portal knowledge. http://www.ironport.com/support/ * Knowledge article 474 * Knowledge article 674 * Knowledge article 574 Microsoft www.microsoft.com/support/ * KB 228821 * KB 232136 IETF http://www.ietf.org/rfc.html * RFC 3207

3.

4.