Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 12 replies
  • Answers 3 answers
  • Subscribers 26 subscribers
  • Views 1671 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG - Smarthost - DKIM Signatur wird nicht durchgeführt

Indimundur

Moin,

ich möchte gerne, dass die XG die ausgehenden Mails mit einer DKIM Signatur signiert.

Schlüsselpaare wurden generiert und eingefügt, DNS-Zone ebenfalls.

Es stellt sich aber heraus, dass die E-Mails ohne Signatur abgegeben werden.

Ich nehme an, dass bei jeder Domain ein eigener Eintrag in der XG bei "DKIM SIGNING" angelegt werden muss.

Als Beispiel nehmen wir hier im Forum "name@domain.tld", woraus sich der Eintrag unten ergibt.

Aktuelle Version: SFVH (SFOS 18.0.5 MR-5-Build586)

Mache ich etwas falsch oder worauf soll man achten?

Die Onlinehilfe von Sophos ist nicht mehr als das, was man in der GUI erkennen kann. https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/sfos/tasks/DKIMSignatureAdd.html

Gruß, Patrick



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Hi ,

    Thanks for reaching out to the Community! 

    Would it be possible for you to share screenshots of the email protection configuration and firewall rules for SMTP/SMTPS?  You may obscure personal information for discretion. We would also need to see the smtpd_main logs ion debugging.

    I would also suggest you ensure that outbound emails are allowed through the correct firewall rules. 

    Thanks,

  • 0 in reply to FormerMember

    Of course, I would have liked to run it more earlier.

    Here is a set of screenshots and logs.
    I also noticed that the MIME banner is not added either. inline works

    The DKIM/DMARC functions are already well known to me through the UTM SG.

    DKIM-Generator: https://easydmarc.com/tools/dkim-record-generator (selector "dkim", Domain "domain.tld", Key Lenght "2048)

    Firewall:

    But where i found "smtpd_main logs?"

  • FormerMember
    0 FormerMember in reply to Indimundur

    Hi ,

    Thanks for providing the screenshots; try to run packet capture from the firewall GUI on the SMTP port while sending an email to confirm the firewall rule number. 

    On the CLI, select option 5. Device Management, then option 3. Advanced Shell. Then change to the log directory using the command cd /log.

    Thanks,

  • 0 in reply to FormerMember

    unfortunately really very bad pictures.
    They come from screenshots from my video. I could not find a better export.
    This shows the complete progress.

  • FormerMember
    0 FormerMember in reply to Indimundur

    Hi ,

    These screenshots aren't good to interpret the logs; please copy and paste the logs or create a file and send it via personal message. 

    Thanks,

  • 0 in reply to FormerMember

    Okay, so im officially dumb...
    I only found the logs via shell. How do I get to the corresponding files via GUI?

  • 0 in reply to FormerMember

    So.
    I created again a capture in Diagnostics > Packet Capture while I sent a mail.

    I see the transmission as with "Wireshark".

    But the question is why the outgoing mail from Sophos is not signed with DKIM.

    I can see that this is not happening from the header of the email on the external mail server.

    PS: Is it no longer possible to simply download the logs as from SG? That is already very uncomfortable.

  • FormerMember
    0 FormerMember in reply to Indimundur

    Hi ,

    You could follow the steps from the following KBA to download the logs from the firewall: 

    However, I'd suggest you open a support case at support.sophos.com with an internal reference ID NC-73542; this issue has been identified by our support team and is currently being investigated. Once you open a support case, please send me the case number by personal message; I'll help you with the case follow-up as well as collecting the required logs from your firewall. 

    Thanks,

  • FormerMember
    0 FormerMember in reply to FormerMember

    Hi ,

    The hotfix has been released for this issue, please check if you've selected "Allow automatic installation of hotfixes under Backup & firmware > Firmware > Hotfix. 

    You could also verify the detail of this hotfix from the u2d logs. You could use the following command from the Advanced shell to confirm.

    • grep "sfsysupdate_NC-73542.tar.gz.gpg" u2d.log

    Thanks,

  • 0 in reply to FormerMember

    Do I then still need to trigger a restart of a service? Because during the test just now no signature was included so far.


    EDIT: well, i found the web-console now -.-'

     <File name="sfsysupdate_NC-73542.tar.gz.gpg">                               
          <location>d3tusa5dvomhzy.cloudfront.net/.../sfsysupdate_NC-7
    3542.tar.gz.gpg</location>                                                      
    DEBUG     May 27 18:31:29 [23438]: Received name : sfsysupdate_NC-73542.tar.gz.g
    pg                                                                              
    DEBUG     May 27 18:31:29 [23438]: Received location : https://d3tusa5dvomhzy.cl
    oudfront.net/SYSUPDATE/sfsysupdate_NC-73542.tar.gz.gpg                          
    Thu May 27 18:32:27 2021 dr_dload_checker: Starting download for file sfsysupdat
    e_NC-73542.tar.gz.gpg                                                           
    Thu May 27 18:33:28 2021 dr_dload_checker: Download completed for file sfsysupda
    te_NC-73542.tar.gz.gpg                                                          
    Thu May 27 18:33:28 2021 dr_dload_checker: Download for file sfsysupdate_NC-7354
    2.tar.gz.gpg passed integrity and gpg checks                                    
    SFVH_SO01_SFOS 18.0.5 MR-5-Build586#

    The log digest for the public here:

    15889 LOG: MAIN PANIC                                                           
    15889   signing_init: privkey PEM-block import: error:0906D06C:PEM routines:PEM_
    read_bio:no start line                                                          
    2021-05-27 20:25:46.666 [15889] j22kqi-3axN31-eG signing_init: privkey PEM-block
     import: error:0906D06C:PEM routines:PEM_read_bio:no start line                 
    15889 LOG: MAIN PANIC                                                           
    15889   DKIM: signing failed: PRIVKEY                                           
    2021-05-27 20:25:46.666 [15889] j22kqi-3axN31-eG DKIM: signing failed: PRIVKEY  
    15889 locking /sdisk/spool/output//db/wait-remote_smtp.lockfile                 
         ad

  • 0 in reply to Indimundur

    Well.

    You have to insert the WHOLE block, including BEGIN and END line.
    Now the message went through without errors and is signed correctly.

    -----BEGIN RSA PRIVATE KEY-----
    sieufhpseiufdpisuoefhioesuhf
    ppeuifdhsepiufh .....
    -----END RSA PRIVATE KEY-----

Reply Children
No Data