Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 13 replies
  • Answers 1 answer
  • Subscribers 32 subscribers
  • Views 20826 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How can I select a specific certificate to scan inbound E-mail trafic (SMTP) ?

Slawski

I was trying to create an inbound forward rule for my internal mail server. The problem is that I can't see where I should select a certificate for "Hosted Server". I tried creating a rule by using "Security Policies >> Add Business Rule" and selecting application template "Email servers (SMTP)". It works, but when I try to connect it presents an appliance signed certificate.

This is opposite to a situation with application template "HTTP Based Policy" where after selecting "HTTPS" I can select a public certificate I have uploaded.

Is it really "Email servers (SMTP)" template supposed to protect internal mail servers ??? I was thinking it is, because there is also another application template called "Email clients (POP & IMAP)" and in this template I can also select to scan SMTP/SMTPS traffic.

Am I missing something ?



This thread was automatically locked due to age.
  • 0
    Hello Slawek,

    The certificate that will be used to decrypt and create a two-step connection for SMTP can be found at Protection> Email Protection> Configuration > SMTP TLS Configuration> TLS Certificate. You will have to change that to a self signed or a uploaded one.

    You can also use TLS options to bypass/create exceptions
  • 0 in reply to AmitSharma
    But I can't select a server certificate here. I can only select CA certificate or "Default" - which is not described in the help.

    From my understanding. If you are protecting an internal SSL secured server - you have to put its certificate on the firewall - just like with HTTPS we do.

    When you will connect from WAN side - you are presented an appliance generated certificate from CA you have selected. I suppose it works good if the connection is from LAN to WAN - you can control the trust.

    But from WAN side you cannot expect everybody will trust your custom CA certificates.

    Please have a look how does it work in HTTPS server Business Rule.
  • 0 in reply to Slawski
    Hello,

    i tried the same but i cannot change the certificate in the emailscanning part of configuration
  • 0
    Hmm, it seems that we can only select CAs here. That's of course quite useless for WAN connections :-(
  • 0 in reply to Slawski

    Hi Slawski,

    Can you please confirm me if the Business Rule configured for Mail Server has Reflexive Rule enable ?

    Reflexive rule has the same policies as those configured for the hosted server but instead of source zone to destination zone, this rule is applicable on traffic from destination zone to source zone. By default, the reflexive rule is not created.

    If you have already seleted SMTP / SMTPS Scan option in your Business Rule with Reflexive Rule enable, this will scan all the Inbound E-mail traffic as per the requirement.

    You have reported the same query in your last post to forum, you can also follow up on that,  find the link to the same.

    https://community.sophos.com/products/xg-firewall/f/130/p/75121/289809#289809

    Thanks

    Sachin Gurung

  • 0 in reply to sachingurung

    Does this problem have a solution yet? With this unaddressed clients connecting to your SMTPS services will not be given a trusted certificate because is always signed by the CA on the firewall (which will not be trusted on all clients).

    I assert that the practice of using the CA cert for scanning TLS SMTP and HTTP is broken because the common case is that for _hosted_ services the certificate is also used to verify identity through a valid chain of trust. There *should* be an option to upload trusted signed certificates for hosted services just as it is normal to do so in a reverse proxy, which is essentially what is happening when hosted SMTPS and HTTPS is scanned using this software.

    **Edit: HTTPS business rule works fine for this case** 

  • 0 in reply to MatthewNelson-White

    Hi Matthew,

    Did you look into the options;

    SMTP / POP and IMAP TLS Configuration.

    Hope that helps.

  • 0 in reply to sachingurung

    This picture illustrates the problem:

     The same applies to SMTPS. It is normal for a reverse proxy to be able to use the trusted client certificate so that the internet user has a valid chain of trust.

  • 0 in reply to sachingurung

    'SMTP / POP and IMAP TLS Configuration' does not appear to address the problem.

  • 0 in reply to MatthewNelson-White

    I can see that someone understood what I have complained about. Yes the picture is exactly showing the case.

    If you have an internal server protected by public certificate, there is no way to protect it with Business rule, because there is no way to select that certificate in the Business Rule.