Sophos XG - Smarthost - DKIM Signatur wird nicht durchgeführt

Hi Indimundur,

Thanks for reaching out to the Community! 

Would it be possible for you to share screenshots of the email protection configuration and firewall rules for SMTP/SMTPS?  You may obscure personal information for discretion. We would also need to see the smtpd_main logs ion debugging.

I would also suggest you ensure that outbound emails are allowed through the correct firewall rules. 

Thanks,

Of course, I would have liked to run it more earlier.

Here is a set of screenshots and logs.
I also noticed that the MIME banner is not added either. inline works

The DKIM/DMARC functions are already well known to me through the UTM SG.

DKIM-Generator: https://easydmarc.com/tools/dkim-record-generator (selector "dkim", Domain "domain.tld", Key Lenght "2048)

Firewall:

But where i found "smtpd_main logs?"

Hi Indimundur,

Thanks for providing the screenshots; try to run packet capture from the firewall GUI on the SMTP port while sending an email to confirm the firewall rule number. 

• Monitor traffic using Packet Capture Utility in the Sophos XG Firewall GUI

On the CLI, select option 5. Device Management, then option 3. Advanced Shell. Then change to the log directory using the command cd /log.

• Log file details

Thanks,

unfortunately really very bad pictures.
They come from screenshots from my video. I could not find a better export.
This shows the complete progress.

And now what? ^^

Hi Indimundur,

These screenshots aren't good to interpret the logs; please copy and paste the logs or create a file and send it via personal message. 

Thanks,

Okay, so im officially dumb...
I only found the logs via shell. How do I get to the corresponding files via GUI?

So.
I created again a capture in Diagnostics > Packet Capture while I sent a mail.

I see the transmission as with "Wireshark".

But the question is why the outgoing mail from Sophos is not signed with DKIM.

I can see that this is not happening from the header of the email on the external mail server.

PS: Is it no longer possible to simply download the logs as from SG? That is already very uncomfortable.

So.
I created again a capture in Diagnostics > Packet Capture while I sent a mail.

I see the transmission as with "Wireshark".

But the question is why the outgoing mail from Sophos is not signed with DKIM.

I can see that this is not happening from the header of the email on the external mail server.

PS: Is it no longer possible to simply download the logs as from SG? That is already very uncomfortable.

Hi Indimundur,

You could follow the steps from the following KBA to download the logs from the firewall: 

• Sophos Firewall: Extract files from the Sophos Firewall

However, I'd suggest you open a support case at support.sophos.com with an internal reference ID NC-73542; this issue has been identified by our support team and is currently being investigated. Once you open a support case, please send me the case number by personal message; I'll help you with the case follow-up as well as collecting the required logs from your firewall. 

Thanks,

Hi Indimundur,

The hotfix has been released for this issue, please check if you've selected "Allow automatic installation of hotfixes under Backup & firmware > Firmware > Hotfix. 

You could also verify the detail of this hotfix from the u2d logs. You could use the following command from the Advanced shell to confirm.

• grep "sfsysupdate_NC-73542.tar.gz.gpg" u2d.log

Thanks,

Do I then still need to trigger a restart of a service? Because during the test just now no signature was included so far.

EDIT: well, i found the web-console now -.-'

 <File name="sfsysupdate_NC-73542.tar.gz.gpg">                               
      <location>d3tusa5dvomhzy.cloudfront.net/.../sfsysupdate_NC-7
3542.tar.gz.gpg</location>                                                      
DEBUG     May 27 18:31:29 [23438]: Received name : sfsysupdate_NC-73542.tar.gz.g
pg                                                                              
DEBUG     May 27 18:31:29 [23438]: Received location : https://d3tusa5dvomhzy.cl
oudfront.net/SYSUPDATE/sfsysupdate_NC-73542.tar.gz.gpg                          
Thu May 27 18:32:27 2021 dr_dload_checker: Starting download for file sfsysupdat
e_NC-73542.tar.gz.gpg                                                           
Thu May 27 18:33:28 2021 dr_dload_checker: Download completed for file sfsysupda
te_NC-73542.tar.gz.gpg                                                          
Thu May 27 18:33:28 2021 dr_dload_checker: Download for file sfsysupdate_NC-7354
2.tar.gz.gpg passed integrity and gpg checks                                    
SFVH_SO01_SFOS 18.0.5 MR-5-Build586#

The log digest for the public here:

15889 LOG: MAIN PANIC                                                           
15889   signing_init: privkey PEM-block import: error:0906D06C:PEM routines:PEM_
read_bio:no start line                                                          
2021-05-27 20:25:46.666 [15889] j22kqi-3axN31-eG signing_init: privkey PEM-block
 import: error:0906D06C:PEM routines:PEM_read_bio:no start line                 
15889 LOG: MAIN PANIC                                                           
15889   DKIM: signing failed: PRIVKEY                                           
2021-05-27 20:25:46.666 [15889] j22kqi-3axN31-eG DKIM: signing failed: PRIVKEY  
15889 locking /sdisk/spool/output//db/wait-remote_smtp.lockfile                 
     ad

Well.

You have to insert the WHOLE block, including BEGIN and END line.
Now the message went through without errors and is signed correctly.

-----BEGIN RSA PRIVATE KEY-----
sieufhpseiufdpisuoefhioesuhf
ppeuifdhsepiufh .....
-----END RSA PRIVATE KEY-----