Setup TLS on inbound email from specific domains – IronPort

Issue: You would like to require (or attempt) TLS encryption on inbound email communications from specific partner email domains.

Solution Snippet: In this walkthrough we will be creating a partner Sender Group and Mail a Flow Policy that prefers or requires TLS encrypted communication.

Solution Walkthrough

Create a new Mail Flow Policy called “TLS_Required_Policy”
click Mail Policies > Mail Flow Policies
click the Add Policy button
put TLS_Required_Policy in the Name field
add-mail-flow-policy-tlsScroll down to Security Features and change the TLS setting to “Required“.

click the Submit button to save the new Mail Flow Policy.

25% off new products at!

Next we will create a new Sender Group which will contain the ‘TLS required’ entities that send email to your organization:

click Mail Policies > HAT Overview
click “Add Sender Group” button
Name the Sender Group “TLS_Required_Group”
Select the “TLS_Required_Policy” from the Policy drop down menu
tis required sender groupclick the “Submit and Add Senders” button

Add the IP and/or hostnames in the ‘Sender’ field and click Submit:
add-sender-to-sender-groupNote: I’ve found that the sending mail servers IP or Hostname is what is what the IronPort uses, which may not be the same as the senders email domain name.  You may need to review the headers on the incoming mail to determine the sending mail server hostname or IP.

Position the “TLS_Required_Group” Sender Group above the Whitelist Sender Group:
click Mail Policies > HAT Overview
click ‘Edit Order’ button
change the arrangement so that TLS_Required_Group is placed above the WHITELIST group

Note: you can alternatively substitute “TLS_Preferred” in the group/policy names and select TLS Preferred rather than Required in the settings.  TLS preferred will attempt TLS, and if TLS cannot be established will receive mail as clear text.

In order to test, contact the organization you setup to receive TLS email from and ask them to send you some test emails.  Next, open the Monitor menu page to verify incoming IronPort TLS.

Here are steps to setup TLS for outbound mail or enable TLS on all incoming email.


4 thoughts on “Setup TLS on inbound email from specific domains – IronPort

  1. Navishkar Sadheo


    why does the new sender group need to be positioned in between “relay list” and “whitelist” ?

    is there a particular reason?

    1. Chris Harris Post author

      Hi Navishkar, I believe the new TLS_Required sender group needs to go above Whitelist is because the groups are parsed in an iterative fashion, meaning it uses the policy of the first group that the sender is matched with. If Whitelist was above TLS_Required then a sender being in the whitelist would have the whitelist policy applied and then TLS would not be required because it hit the Whitelist group/policy first since it was the first match. Let me know if this makes sense or you have any questions. If you find Cisco ESA documentation to the contrary please let me know that as well. Thx


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.