04-03-2009 03:39 PM
Hello,
I don't believe this is possible because of the email workflow but I want to cover all bases.
Here is the scenario:
- We have 2 IronPort C350's. I have one that handles all normal outbound mail flow and the other handles CRE encryption as well as being set to TLS preferred for all outbound mail
-I have several outbound content filters set on the first box that will send to alt host (the second box) for either CRE encryption or simply delivered via TLS preferred.
-The filters that do not use CRE encryption are basically for SSN and HIPAA term matches from (careless) internal users who do not choose end-to-end encryption.
I was wondering if it were possible to have a rule set up on the second box to basically act on failed TLS requests for outbound messages and use CRE encryption?
Another option I was looking at was setting TLS to required and then setting up a rule to notify the internal sender of failed TLS.
My third option ( and the one I think I'll end up having to use) is to set the filters up to use CRE encryption instead.
Any insight into this would be greatly appreciated. Thanks![/list]
04-07-2009 01:22 PM
I was wondering if it were possible to have a rule set up on the second box to basically act on failed TLS requests for outbound messages and use CRE encryption?
Currently, The IronPort is not able to turn over a failed TLS
connection to another mechanism.
Another option I was looking at was setting TLS to required and then setting up a rule to notify the internal sender of failed TLS.
You can configure a workaround of sorts by creating specific bounce
profiles for domains that require TLS, and setting these profiles to
bounce messages within a short period of time 9 say 2 minutes or
less).
That way, if the message is in the delivery queue and a TLS
connection cannot be verified to the recipient host, the message
would bounce.
The bounce would contain a 5.4.7 error message stating that TLS was
unavailable. This workaround would depend on how savvy your users
are at reading/understanding bounce messages.
My third option ( and the one I think I'll end up having to use) is to set the filters up to use CRE encryption instead.
This would probably be the best option.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide