Security Review (Optional)

Efficacy Guide using Cisco Secure Email

Additional Hardening Recommendations

Admins should always keep in mind who has access to the mail gateway. Please always be sure to have best practices for the following to keep your configuration safe:

Scanning of Password-protected Attachments

Starting with the AsyncOS 14.0 was made available.

  1. Security Services > Scan Behavior
  2. Click Edit Global Settings...
  3. In Scanning of Password-protected Attachments, click Enabled for Inbound Mail Traffic
  • Outbound Mail Traffic is optional
  1. In Probable Password for Analysis, click Enabled
  2. Define up to five (5) passwords in the setting
  3. Submit and Commit your configuration changes

Sender Domain Reputation

Sender Domain Reputation (SDR) was introduced in AsyncOS 12.0. This is enabled by default. Assure that you are running the minimum configuration of SDR:


Note: Cluster: Hosted_Cluster as this is Cloud Gateway

User Config

For your Gateway/Cloud Gateway, enforce 90-day passphrase expiration.

  1. System Administration > Users
  2. In Local User Account & Passphrase Settings, click Edit Settings...
  3. For Passphrase Reset, configure Require users to reset passphrases after 90 days
  4. Submit and Commit your configuration changes

Two-factor Authentication (2FA)

For your Gateway/Cloud Gateway, enable Two-factor Authentication.

You can use a RADIUS directory to configure two-factor authentication for specific user roles. The email gateway supports the following authentication protocols for communicating with the RADIUS server:

  • Password Authentication Protocol (PAP)
  • Challenge Handshake Authentication Protocol (CHAP)

You can enable two-factor authentication for the following user roles:

  • predefined
  • custom

The feature has been tested with:

  • RSA Authentication Manager v8.2
  • FreeRADIUS v1.1.7 and above
  • ISE v1.4 and above

Enabling Two-Factor Authentication

Before You Begin

Make sure that you get the required RADIUS server details for two-factor authentication from your IT administrator.


Step 1 | On the System Administration > Users page, click Enable under Two-Factor Authentication.

Step 2 | Enter the hostname or IP address of the RADIUS server.

Step 3 | Enter the port number of the RADIUS server.

Step 4 | Enter the Shared Secret password of the RADIUS server.

Step 5 | Enter the number of seconds to wait for a response from the server before timing out.

Step 6 | Select the appropriate authentication protocol.

Step 7 | (Optional) Click Add Row to add another RADIUS server. Repeat steps 2 to 6 for each RADIUS server.

Note: You can add up to ten RADIUS servers.

Step 8 | Select the required user roles for which you want to enable two-factor authentication.

Step 9 | Submit and commit your changes.

When two-factor authentication is enabled, the user is prompted to enter a passcode after entering the username and passphrase, to login to the email gateway.

Guide Checklist

At this time, we have completed the following:

Congratulations! You're at the end of the Efficacy Guide using Cisco Secure Email! Thank you for taking the time to step through this guide.

Up next, if you wish - ensure that you get full use and detection of URLs with our URL Defense Guide.

What’s Next