Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

TLS and message filter question

Hello,

I don't believe this is possible because of the email workflow but I want to cover all bases.

Here is the scenario:

- We have 2 IronPort C350's. I have one that handles all normal outbound mail flow and the other handles CRE encryption as well as being set to TLS preferred for all outbound mail

-I have several outbound content filters set on the first box that will send to alt host (the second box) for either CRE encryption or simply delivered via TLS preferred.

-The filters that do not use CRE encryption are basically for SSN and HIPAA term matches from (careless) internal users who do not choose end-to-end encryption.


I was wondering if it were possible to have a rule set up on the second box to basically act on failed TLS requests for outbound messages and use CRE encryption?

Another option I was looking at was setting TLS to required and then setting up a rule to notify the internal sender of failed TLS.

My third option ( and the one I think I'll end up having to use) is to set the filters up to use CRE encryption instead.

Any insight into this would be greatly appreciated. Thanks![/list]

1 REPLY
Cisco Employee

Re: TLS and message filter question




I was wondering if it were possible to have a rule set up on the second box to basically act on failed TLS requests for outbound messages and use CRE encryption?

Currently, The IronPort is not able to turn over a failed TLS
connection to another mechanism.


Another option I was looking at was setting TLS to required and then setting up a rule to notify the internal sender of failed TLS.


You can configure a workaround of sorts by creating specific bounce
profiles for domains that require TLS, and setting these profiles to
bounce messages within a short period of time 9 say 2 minutes or
less).
That way, if the message is in the delivery queue and a TLS
connection cannot be verified to the recipient host, the message
would bounce.
The bounce would contain a 5.4.7 error message stating that TLS was
unavailable. This workaround would depend on how savvy your users
are at reading/understanding bounce messages.



My third option ( and the one I think I'll end up having to use) is to set the filters up to use CRE encryption instead.


This would probably be the best option.


236
Views
0
Helpful
1
Replies
CreatePlease to create content