TLS questions on C-series

Unanswered Question
Sep 17th, 2009

HI,

I have some questions for TLS implemetiation on C150 serie.
I've read online support help, bust still not clear on TLS, since I'm new to hw it functions.

1. I've received from CA, among other certificates the TrustedRoot.crt. Should I use it somewhere in the ESA during certconifg installation?

2. If the receiving hosts (domains), are not supporting TLS, should they receive our TLS mails, signed and encrypted by ESA?

3. How can ESA logs tell that emails sent to some domains are being sent with TLS and how to troubleshoot these cases?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Andrew Wurster Thu, 09/17/2009 - 23:24

Answering inline below:

1. I've received from CA, among other certificates the TrustedRoot.crt. Should I use it somewhere in the ESA during certconifg installation?
[AW] Yes, depending on the format of the certs, you may need to convert to PEM format first. Once you've installed the 'identity' or 'host' certificate, you will be prompted to enter in the CA's certificate or 'trusted root'. Installation instructions:
http://tinyurl.com/y7n674

2. If the receiving hosts (domains), are not supporting TLS, should they receive our TLS mails, signed and encrypted by ESA?
[AW] You would use destination controls set to "preferred" I am thinking. The ESA contacts the other side, looks for TLS capabilities, and reverts to plaintext delivery if that is not present.
more info: http://tinyurl.com/ougz3

3. How can ESA logs tell that emails sent to some domains are being sent with TLS and how to troubleshoot these cases?
[AW] There are lots of messages containing "TLS" in the string. There is a TLS report in the GUI as well. Here are some notes on this:
http://tinyurl.com/py4tw

best of luck!

andrew

ardi_80_ironport Fri, 09/18/2009 - 07:58

Thanks for your reply.

Does TLS require a different port or the usual one (25 for smtp).
I sent an email to Google (for testing), using TLS required, but it never arrived.
Iron port logs show email sent. Could it be the provider, or the required option is not supported by google?

steven_geerts Fri, 09/18/2009 - 12:34

Hi Ardi_80,

TLS is working on the standard TCP25 port. (Although there is an old depreciated standard that uses an alternative port, Ironport (and most other mail systems nowadays) use "plain" TCP25 communication.

If you want to know is a remote mai lserver supports TLS or not, there is a quite simple trick to determine this.

1) Log on to the CLI of your Ironport
2) Find a/the mail server of your target domain by executing "nslookup domain.name MX” (if needed)
3) Execute: “telnet mailhost.domain.name 25” (you get a connection with the remote SMTP server)
3) Enter “EHLO test”
4) The remote server shows it's capabilities/limitations. If ‘STARTTLS” is present in the list the remote server supports TLS.



good luck!

Steven

PS: I tested a few Google hosts and it seems Google is supporting TLS

ardi_80_ironport Tue, 09/22/2009 - 07:25

I tested also on our gateway the EHLO test, and it didnt show any STARTTLS.
I' ve started TLS on C150 with destconfig from cli. Does the box need any restart after enabling TLS?
During certconifg it requires a private key. Is this the key generated duirng request of CA? If the certificate from provider (digicert), is in .crt format, how to convert to .pem format. Are these formats the same?

Andrew Wurster Tue, 09/22/2009 - 23:12

I tested also on our gateway the EHLO test, and it didnt show any STARTTLS.
I' ve started TLS on C150 with destconfig from cli. Does the box need any restart after enabling TLS?
[AW] No. Check your appropriate Mail Flow Policy / HAT sender group to make sure it's inheriting the expected policy. Also, make sure there are no firewalls inbetween inspecting SMTP sessions and potentially dropping 'STARTTLS' type commands.

During certconifg it requires a private key. Is this the key generated duirng request of CA? If the certificate from provider (digicert), is in .crt format, how to convert to .pem format. Are these formats the same?
[AW] Yes. It really depends but I believe '.crt' file extensions are 'pem' format. I hate all the random extensions, so I usually tell by mimetype or filetype fingerprint, or by simply opening it with a text editor and looking. The important thing is that it is 'plain text' and has '----begin' and 'end----' tags in it.

Andrew

ardi_80_ironport Fri, 09/25/2009 - 08:38

In the incoming mails after enabling TLS(preferred), I see from log the following:

TLS success protocol TLSv1 cipher RC 4-MD5.

Does it mean incoming mail is encrypted? Is the cryptographic protocol listed here? Is it the right one?

Andrew Wurster Fri, 09/25/2009 - 17:17

Does it mean incoming mail is encrypted? Is the cryptographic protocol listed here? Is it the right one?


[AW] Yes. Yes. Yes.
ardi_80_ironport Sat, 09/26/2009 - 14:47

Does anybody have a tool or method of how to troubleshoot certificate negotiation between servers? If my certificate is not trusted between clients, is there any log saved?

Andrew Wurster Mon, 09/28/2009 - 17:36

Yes, the appliance logs this information in the mail_logs along with all other delivery or injection information depending on the direction (contains 'DCID xxxx' or 'ICID xxxx').

To get more information, you could create an 'injection debug' log subscription on your ESA to capture SMTP conversations for all incoming mail from a particular host, or 'domain debug' logs to capture things in the opposite direction.

You can also use the 'tcpdump' command 'diagnostic > network > tcpdump' in the appliance's CLI to get a standard packet capture. Otherwise, you can use an external machine or firewall to capture similar info in a normal packet dump.

Actions

This Discussion