Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 26 subscribers
  • Views 862 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG86 SPX encryption

d4nn13

I have successful deployed spx encryption on dozens of XG105 and XG115 in the past in mta mode

but i am having trouble getting the spx encryption to work on an XG 86.

The device encrypts the email if i select "encrypt" with the Outlook plugin and also uses the selected (default) template which is "Generated and stored for recipient"

but it does not send the password back.

I can't create an smtp rule to tell it to forward emails for the customers domain to the local exchange since that function is not available in XG86

I thought it may use the settings in -administration-notification-external email server- but it does not.

So how can i tell the device how or whereto it should send the generated passwords ?

Sophos XG86, SFOS 18.0.1 MR-1-Build396, Subscriptions: Base and E-Mail Protection



This thread was automatically locked due to age.
  • 0

    Hello d4nn13,

    Thank you for contacting the Sophos Community!

    This sounds like something that might need to be investigated, can you provide the output of the awarrenmta.log

    Regards,

  • 0 in reply to emmosophos

    i guess you mean awarrensmtp.log ?

    awarrensmtp.log:

    MESSAGE   Oct 08 22:50:28 [3947825984]: process_request: tlv->type: 0 , tlv->length: 12 'id@my-email.de'
    ERROR     Oct 08 22:50:28 [3947825984]: get_value_from_tokyoCabinet() No entry for key 'id@my-email.de' in '/conf/sysfiles/spx/db//C0A1006YRVXXHD4rcpt_gen_db.tokyo'
    ERROR     Oct 08 22:50:28 [3947825984]: process_tlv_event(): recvfrom() blocked
    MESSAGE   Oct 08 22:52:38 [0x2000008a]: New SMTP Session Initialized 192.168.ZZZ.ZZZ:37248 ==> XX.XXX.132.187:25
    MESSAGE   Oct 08 22:52:38 [0x2000008a]: [0x2000008a0] FROM: address@customer-domain.de , TO: id@my-email.de
    MESSAGE   Oct 08 22:52:38 [0x2000008a]: Mail Accepted by SF With ID=0x2000008a
    MESSAGE   Oct 08 22:52:39 [0x2000008a]: [0x2000008a0](id@my-email.de)SF Policy Action: SPX
    ERROR     Oct 08 22:52:39 [3947825984]: get_value_from_tokyoCabinet() No entry for key 'id@my-email.de' in '/conf/sysfiles/spx/db//C0A1006YRVXXHD4gen_store_db.tokyo'
    ERROR     Oct 08 22:52:39 [3947825984]: release_sync_lock: need to sync DB
    MESSAGE   Oct 08 22:52:39 [3947825984]: Notification generated for SPX Password: Recipient address@customer-domain.de, Mail server XX.XXX.132.187:25
    MESSAGE   Oct 08 22:52:39 [3949693760]: forward_mail(): Sending Notification to 'address@customer-domain.de' on 'YY.YYY.138.5:25' (ipv6: '0')
    MESSAGE   Oct 08 22:52:39 [0x2000008a]: [0x2000008a0] Mail sent successfully with 250 OK id=1kQctz-00063J-9i

    As you can see the XG intercepts the smtp connection, encrypts the email and creates a password,it then tries to send the password to the providers mail server that it got from querring the mx entry of the domain, the server even seems to accept the mail but it never arrives at the customers mailbox.

    XX.XXX.132.187 is the outgoing smtp server or smarthost at the provider

    YY.YYY.135.5 is the mail server that the sophos gets from quering the domain of the customer (mx entry)

    what i tried in the meantime:

    i configured the rdns entry to match the ip adress of the wan interface

    i added an spx entry to the domain including the hostname / ipadress of the sophos wan interface

    Can i enable more detailed logging ?

    Is there any way telling the sophos to send emails via the smarthost?

  • 0 in reply to d4nn13

    another weird thing is, i tested to send an email from the customers internet connection from his email adress to his email adress with an smtp test tool to verify that i can send email via mx and this email actually arrives.

    The emails from the sophos still don't arrive anywhere.

    Tool i used for testing:

    http://www.smtpdiagpro.com/

  • 0 in reply to d4nn13

    Hello d4nn13,

    Yes you could put the service in debug mode:

    service awarrensmtp:debug -ds nosync

    To disable, run the same command.

    To answer your last question only in MTA mode you can configure Smarthost.

    Regards,