Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

TLS mutual authentication and Separate default SMTP routes per listener - IronPort c370

Dear all ,

 

We have two IronPort C370 ESAs , formed in a cluster.

We are in a need to route e-mails targeted to a special group using TLS Required/Verify.

I have two questions :

 

1.  Is TLS mutual authentication possible on both incoming and outgoing ?

 

2.  Due to the nature of the TLS need the existing listener cannot be used. So I created a new listener and respective filters to decide when the recipient requirements are met. The new listener is going to be configured with a policy specifying TLS required/verify. Problem is that  there is always a default SMTP route pointing specifically to a cloud service rather than directly to the Internet while for the new listener usedns is required. Is it possible to have two different default SMTP routes assigned to different listeners ?

 

Thanks and kind regards ,

Gino.

 

PS : Please bear with me and questions. I am making my first steps in Iron Port administration.

Everyone's tags (1)
1 REPLY
Community Member

I have made some sort of

I have made some sort of progress but I would also like to have your expert opinions.

 

I have came to understand that in order to present TLS mutual authentication for the incoming traffic I will just have to trust the sender(s) CA ( containing SANs etc for both the SMTP domain and the ESA itself ) while if I spread own SANs to the counterparts I will also have TLS mutual authentication on the outgoing traffic as well. Issue is that I will have to declare it in destination controls and it cannot be generic.

Is there any way to make TLS required/verify with mutual authentication the default without having to set destination contol(s) ?

 

As for my second question I have came to understand that the additional listener is not an aditional MTA and concequently I cannot have separate default SMTP route ( default = what is called as "ALL" in IronPort ). Still if anyone knows something more it would be really helpful if it was shared.

241
Views
0
Helpful
1
Replies
CreatePlease to create content