Issue with Mail protection and Microsoft exchange self-signed certificate.

Question

We're using XGS126 (SFOS 19.0.0) with active Mail protection subscription and our mails are hosted on on-premises Exchange server. 
 We had issue, that we got error message because Sophos couldn't verify certificate for our internal mail server and mails kept bouncing. When we added this cert to Sophos, it showed up as un-trusted because there was no CA for it, as it it is self-signed, w e skipped TLS negotiation with server and now everything seems to be working fine, but still i want to do everything "by the book". 
 Are there any advice on how to add this self-signed certificate to Sophos, so it would also show up as CA, so it would be trusted? 
 I guess there should be an answer for it, as Microsoft recommends using self-signed certificate for Excahnge server.

Vishal_R · Answer

Hi @ Kārlis Eniks To make it trusted, the certificate chain should get validated by the firewall when that cert is added over XG. i.e. the issuer of that certificate which is the external or local cert authority (including any intermediate CA as well if those are also there in the validation chain) from which that cert has been signed also required to be added over the firewall under the "Certificate authority" tab on XG UI.

Issue with Mail protection and Microsoft exchange self-signed certificate.

Top Replies

Submitted a Tech Support Case lately from the Support Portal?