Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 13 replies
  • Answers 1 answer
  • Subscribers 32 subscribers
  • Views 20828 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How can I select a specific certificate to scan inbound E-mail trafic (SMTP) ?

Slawski

I was trying to create an inbound forward rule for my internal mail server. The problem is that I can't see where I should select a certificate for "Hosted Server". I tried creating a rule by using "Security Policies >> Add Business Rule" and selecting application template "Email servers (SMTP)". It works, but when I try to connect it presents an appliance signed certificate.

This is opposite to a situation with application template "HTTP Based Policy" where after selecting "HTTPS" I can select a public certificate I have uploaded.

Is it really "Email servers (SMTP)" template supposed to protect internal mail servers ??? I was thinking it is, because there is also another application template called "Email clients (POP & IMAP)" and in this template I can also select to scan SMTP/SMTPS traffic.

Am I missing something ?



This thread was automatically locked due to age.
Parents
  • 0
    Hello Slawek,

    The certificate that will be used to decrypt and create a two-step connection for SMTP can be found at Protection> Email Protection> Configuration > SMTP TLS Configuration> TLS Certificate. You will have to change that to a self signed or a uploaded one.

    You can also use TLS options to bypass/create exceptions
  • 0 in reply to AmitSharma
    But I can't select a server certificate here. I can only select CA certificate or "Default" - which is not described in the help.

    From my understanding. If you are protecting an internal SSL secured server - you have to put its certificate on the firewall - just like with HTTPS we do.

    When you will connect from WAN side - you are presented an appliance generated certificate from CA you have selected. I suppose it works good if the connection is from LAN to WAN - you can control the trust.

    But from WAN side you cannot expect everybody will trust your custom CA certificates.

    Please have a look how does it work in HTTPS server Business Rule.
  • 0 in reply to Slawski
    Hello,

    i tried the same but i cannot change the certificate in the emailscanning part of configuration
  • 0 in reply to Slawski

    Hi Slawski,

    Can you please confirm me if the Business Rule configured for Mail Server has Reflexive Rule enable ?

    Reflexive rule has the same policies as those configured for the hosted server but instead of source zone to destination zone, this rule is applicable on traffic from destination zone to source zone. By default, the reflexive rule is not created.

    If you have already seleted SMTP / SMTPS Scan option in your Business Rule with Reflexive Rule enable, this will scan all the Inbound E-mail traffic as per the requirement.

    You have reported the same query in your last post to forum, you can also follow up on that,  find the link to the same.

    https://community.sophos.com/products/xg-firewall/f/130/p/75121/289809#289809

    Thanks

    Sachin Gurung

Reply
  • 0 in reply to Slawski

    Hi Slawski,

    Can you please confirm me if the Business Rule configured for Mail Server has Reflexive Rule enable ?

    Reflexive rule has the same policies as those configured for the hosted server but instead of source zone to destination zone, this rule is applicable on traffic from destination zone to source zone. By default, the reflexive rule is not created.

    If you have already seleted SMTP / SMTPS Scan option in your Business Rule with Reflexive Rule enable, this will scan all the Inbound E-mail traffic as per the requirement.

    You have reported the same query in your last post to forum, you can also follow up on that,  find the link to the same.

    https://community.sophos.com/products/xg-firewall/f/130/p/75121/289809#289809

    Thanks

    Sachin Gurung

Children