Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Ask the Expert: How to Configuring Cisco Ironport TLS

 We have never used TLS before and havent got ant certs/keys C650

Is there a checklist of everything needed to set up TLS between our company and a external company that requires it?

I know there is information in the Advanced user guide but I need a dummy guide!

   I check from website : TLS Solution require

 - CSR  Certificate server , Open ssl or MS CA and it require anything else ?


Please Help



Ake V

  • Email Security
Cisco Employee

TLS will work with the self

TLS will work with the self-signed certificate that comes pre-installed on your ESA. You may also import a new certificate and configure TLS to use the specific certificate.

Documentation below will describe how to enforce TLS as "Preferred" or "Required" using the Destination Controls feature (GUI>Mail Policies>Destination Controls).

You can configure the TLS (Transport Layer Security) on a per-domain basis. If the “Required” setting is specified, a TLS connection will be negotiated from the appliance listener to MTA(s) for the domain. If the negotiation fails, no email will be sent through the connection.


 Changing the Destination Controls "Default"  TLS setting to TLS "Preferred" means that the ESA will attempt delivery and if TLS fails the message will attempt to be sent in "plain text" 
Once you make the change, don't forget to submit and commit changes.

What if TLS Fails?
You can specify whether the appliance sends an alert if the TLS negotiation fails when delivering messages to a domain that requires a TLS connection. The alert message contains name of the destination domain for the failed TLS negotiation. The appliance sends the alert message to all recipients set to receive Warning severity level alerts for System alert types. You can manage alert recipients via the System Administration > Alerts page in the GUI (or via the alertconfig command in the CLI).

To enable TLS connection alerts, click Edit Global Settings on the Destination Controls page or destconfig -> setup subcommand. This is a global setting, not a per-domain setting. For information on the messages that the appliance attempted to deliver, use the Monitor > Message Tracking page or the mail logs.

You must specify a certificate to use for all outgoing TLS connections. Use the Edit Global Settings on the Destination Controls page or destconfig -> setup subcommand to specify the certificate