Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
982
Views
0
Helpful
1
Replies

TLS and message filter question

richardacarey
Level 1
Level 1

‎04-03-2009 03:39 PM

Hello,

I don't believe this is possible because of the email workflow but I want to cover all bases.

Here is the scenario:

- We have 2 IronPort C350's. I have one that handles all normal outbound mail flow and the other handles CRE encryption as well as being set to TLS preferred for all outbound mail

-I have several outbound content filters set on the first box that will send to alt host (the second box) for either CRE encryption or simply delivered via TLS preferred.

-The filters that do not use CRE encryption are basically for SSN and HIPAA term matches from (careless) internal users who do not choose end-to-end encryption.


I was wondering if it were possible to have a rule set up on the second box to basically act on failed TLS requests for outbound messages and use CRE encryption?

Another option I was looking at was setting TLS to required and then setting up a rule to notify the internal sender of failed TLS.

My third option ( and the one I think I'll end up having to use) is to set the filters up to use CRE encryption instead.

Any insight into this would be greatly appreciated. Thanks![/list]

Labels:
0 Helpful
1 Reply 1

Douglas Hardison
Cisco Employee
Cisco Employee

‎04-07-2009 01:22 PM 




I was wondering if it were possible to have a rule set up on the second box to basically act on failed TLS requests for outbound messages and use CRE encryption?

     Currently, The IronPort is not able to turn over a failed TLS
          connection to another mechanism.
 
Another option I was looking at was setting TLS to required and then setting up a rule to notify the internal sender of failed TLS.

     
     You can configure a workaround of sorts by creating specific bounce 
      profiles for domains that require TLS, and setting these profiles to
      bounce  messages within a short period of time 9 say 2 minutes or 
      less). 
      That way, if the message is in the delivery queue and a TLS 
      connection cannot be verified to the recipient host, the message 
      would bounce.  
      The bounce would contain a 5.4.7 error message stating that TLS was 
      unavailable. This workaround would depend on how savvy your users 
      are at reading/understanding bounce messages.
      


My third option ( and the one I think I'll end up having to use) is to set the filters up to use CRE encryption instead.

       
       This would probably be the best option.

0 Helpful
Customers Also Viewed These Support Documents