Configuration Changes in FIPS Mode

The Secure Email and Web Manager uses Cisco SSL and FIPS-compliant certificates for communication when the appliance is in FIPS mode. See Switching the Appliance to FIPS Mode for more information.

To be FIPS Level 1 compliant, the Secure Email and Web Manager makes the following changes to your configuration:

• SMTP receiving and delivery: Incoming and outgoing SMTP conversations over TLS between a public listener on the Secure Email and Web Manager and a remote host use TLS version 1.1 or 1.2 and FIPS cipher suites. TLS v 1.1 and 1.2 are the version of TLS supported in FIPS mode.
• Web interface: HTTPS sessions to the Secure Email and Web Manager’s web interface use TLS version 1.1 or 1.2 and FIPS cipher suites. This also includes HTTPS sessions to the Spam Quarantine and other IP interfaces.
• LDAPS: TLS transactions between the Secure Email and Web Manager and LDAP servers, including using an LDAP server for external authentication, use TLS version 1.1 or 1.2 and FIPS cipher suites. If the LDAP server uses MD5 hashes to store passwords, the SMTP authentication query will fail because MD5 is not FIPS-compliant.
• Logs: SSH2 is the only allowed protocol for pushing logs via SCP. For error messages related to FIPS management, read the FIPS Logs at the INFO level.
• SSL Ciphers: Only the FIPS compliant SSL ciphers are supported.