User Guide

CHAPTER

26-49

AsyncOS 9.1.2 for Cisco Email Security Appliances User Guide

Authenticating SMTP Sessions Using Client

Certificates

• Overview of Certificates and SMTP Authentication, page 26-49

• Checking the Validity of a Client Certificate, page 26-51

• Authenticating a User Using an LDAP Directory, page 26-52

• Authenticating an SMTP Connection Over TLS Using a Client Certificate, page 26-52

• Establishing a TLS Connection from the Appliance, page 26-53

• Updating a List of Revoked Certificates, page 26-54

Overview of Certificates and SMTP Authentication

The Email Security appliance supports the use of client certificates to authenticate SMTP sessions

between the Email Security appliance and users’ mail clients. The Email Security appliance can request

a client certificate from a user’s mail client when the application attempts to connect to the appliance to

send messages. When the appliance receives the client certificate, it verifies that the certificate is valid,

has not expired, and has not been revoked. If the certificate is valid, the Email Security appliance allows

an SMTP connection from the mail application over TLS.

Organizations that require their users to use a Common Access Card (CAC) for their mail clients can use

this feature to configure the Email Security appliance to request a certificate that the CAC and

ActivClient middleware application will provide to the appliance.

You can configure the Email Security appliance to require users to provide a certificate when sending

mail, but still allow exceptions for certain users. For these users, you can configure the appliance to use

the SMTP authentication LDAP query to authenticate the user.

Users must configure their mail client to send messages through a secure connection (TLS) and accept

a server certificate from the appliance.