Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 28 subscribers
  • Views 929 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Scanning Emails - Invalid Certificate

Hermann

I am trying to scan inbound emails that are fetched by Thunderbird, the iOS mail client, and the Gmail Android app. Sending and receiving seems to work, however, copying to the sent folder does not, unless I accept invalid certificates under the POP/IMAP TLS configuration. The problem does not arise on accounts that use STARTTLS. Only on SSL/TLS accounts. The Sophos XG CA certificate is added as a trusted source on the client side. I have the following settings on the firewall active:

  • Firewall rule:
    • Source: Any, Any
    • Destination: Any, Any, [IMAP(S), POP3(S)]
    • Web policy active
    • Block QUIC protocol
    • Scan HTTP and decrypted HTTPS, Use zero-day-protection, scan FTP
    • Block high risk apps
    • IPS: lantowan_general
    • scan email content: POP3(S), IMAP(S)
  • NAT:
    • linked to this firewall rule
  • SSL/TLS Inspection
    • decrypt, maximum compatibility profile
  • Email policy
    • dual av scanning
  • Mail, General Settings; POP and IMAP TLS configuration:
    • TLS Certificate: the default Sophos CA cert
    • disable legacy TLS
    • allow invalid certificate

What am I missing? Why do I need to allow invalid certificates in order to copy emails to the sent folder?



This thread was automatically locked due to age.
Parents
  • +1

    Hi,

    1/. you do not need a linked NAT rule unless you have multiple external interfaces

    2/. XG SSL/TLS scanning does not work with email.  eg IMAP. IMAPS. SMTP, SMTPS etc.

    3/. check the CA in use  for the mail scanning in the email tab of the GUI that it is the same one you installed on the clients, not the default CA.

    4/. Change you firewall rule to source LAN and the network the internal devices are connected to, and the destination to WAN.

    5/. scan http and decrypt HTTPS can be disabled unlesss some of your mail clients are using https for mail.

    6/. Application can be changed to allow because you have defined the only applications to be used are mail clients.

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

Reply
  • +1

    Hi,

    1/. you do not need a linked NAT rule unless you have multiple external interfaces

    2/. XG SSL/TLS scanning does not work with email.  eg IMAP. IMAPS. SMTP, SMTPS etc.

    3/. check the CA in use  for the mail scanning in the email tab of the GUI that it is the same one you installed on the clients, not the default CA.

    4/. Change you firewall rule to source LAN and the network the internal devices are connected to, and the destination to WAN.

    5/. scan http and decrypt HTTPS can be disabled unlesss some of your mail clients are using https for mail.

    6/. Application can be changed to allow because you have defined the only applications to be used are mail clients.

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

Children
  • 0 in reply to rfcat_vk

    Thanks a million. Now, I only have the issue that the ProtonMail Bridge cannot establish a connection, as long as SSL/TLS Inspection is active. If it's not active, it can establish a connection that stays up, when SSL/TLS inspection is activated after the ProtonMail Bridge established its connection. But it seems not email related, as it is not affected by the email rules but by the web browsing related rules. The bridge itself reports a TLS mismatch in its logs.

  • 0 in reply to Hermann

    Hi,

    you should be able to add an exception n the user SSL/TLS exception list (Profile).

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Thanks again! I added an exception for 

    ^([A-Za-z0-9.-]*\.)?protonmail\.ch\.?/
    ^([A-Za-z0-9.-]*\.)?protonmail\.com\.?/
    to not decrypt HTTPS.
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?