This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Outbound SMTP(S) scanning

Hi Community,

We are currently struggling with sending Emails to some customers. We installed Email Protection about 6 months ago because of a spam flood our on-premise Exchange Server couldn't handle. Therefore I installed an inbound business rule to check inbound mails - which works great! We also decided to create an outbound business rule so that we could "watch" the network SMTP traffic (email spamming from clients). I created the rules as described in this article: https://community.sophos.com/kb/zh-cn/123663

We had issues with beeing blocked by the Protected Sky Block-List every 2 months for some days but I put the blame on our automaticly generated emails with are simply plain text with an attachment. But yesterday we discovered that for the last 6 months we weren't able to send emails to Microsofts-"personal"-Email Accounts (@outlook, @hotmail), while Office365 hosted domains worked. Also one of our customers reported they didn't get any email for the last 6 months. (Don't ask me why I hear about that 6 (!!) months and about 500 emails later!).

Everytime I hear something like that I checked my Exchange Servers transport log and Sophos protocol which both said "sent". But because I never received the mail at my private @hotmail-address I thought it was reported as spam and instantly deleted, especially because there were no bounce-backs. But yersterday we digged a little deeper and enabled SMTP logs on our exchange server!

I found out that the Sophos seemed to spoof its certificate into the SMTP conversation.

*," CN=server.domain.tld CN=RapidSSL SHA256 CA - G3, O=GeoTrust Inc., C=US 0A5188 6B3A8199B5CDE3073D08BB0ACD9782906BE72D08 server.domain.tld",Sending certificate Certificate subject Certificate issuer name Certificate serial number Certificate thumbprint Certificate subject alternate names

*," CN=*.hotmail.com E=support@sophos.com, CN=Sophos SSL CA_S150195A389C34D, OU=NSG, O=Sophos, S=Oxfordshire, C=GB 1216D960 4F32D91B39CD9A80EDFB3E8ABFD9D0E853A96AE1 *.hotmail.com",Remote certificate Certificate subject Certificate issuer name Certificate serial number Certificate thumbprint Certificate subject alternate names

*,,"TLS protocol SP_PROT_TLS1_2_CLIENT negotiation succeeded using bulk encryption algorithm CALG_AES_256 with strength 256 bits, MAC hash algorithm CALG_SHA1 with strength 160 bits and key exchange algorithm CALG_RSA_KEYX with strength 1024 bits"

From that point on I thought on the whole process and couldn't simply get it, how this should have ever worked! It absolutly worked with some domains, but some seemed to refuse this connection due to the Sophos Certificate. As soon as I turned the rule off it worked seamlessly, but I dont feel very comfortable this way and Exchange Server Email tracing is horrible!

I found this thread in the community forum https://community.sophos.com/products/xg-firewall/f/email-protection/75121/what-is-correct-design-pattern-for-smtp-server-protection and thought that would be the answer. But as far as I got the only thing a got is a "your certification-authority-file is damaged" by the Sophos XG.

First of all, how does scanning of TLS-encrypted mails work?

and secondly,

which certificate do I have to add to get this done?

I have an IIS certificate (X509) for my Exchange Server 2015 and have no clue on how to get an PEM from it or what the PEM even needs to have included? Because from my idea, it would also need the Exchange Servers private key, to "play him"?

This thread was automatically locked due to age.

0 lferrara over 8 years ago

Robert,

you should be able to upload the CA inside the XG without any issue. What format are you using? Once the Certificate has been correctly uploaded, inside the Email protection make sure to select the correct Certificate for SMTP TLS configuration. Generate and buy a certificate from a public CA and upload it inside the XG.

Make sure to correctly configure banner (you need to upgrade to XG v16). Also do not allow LAN to WAN (any network object) but only the Exchange SMTP server.

Your Exchange Server is 2013 or 2016?
Cancel
Vote Up 0 Vote Down

Cancel
0 lferrara over 8 years ago in reply to lferrara

Also have a look at log inside the XG using the CLI > Option 5 > Option 3 and then move to /var/tslog and type cat awarrensmtp.log. You should have more log from the SMTP engine.

Thanks
Cancel
Vote Up 0 Vote Down

Cancel
0 RobertMarkusfeld over 8 years ago in reply to lferrara

Thank you for your reply.

I have a certificate from RapidSSL that comes either in plain text with ------BEGIN------- -----END CERTIFICIATE----- or an .crt file! But the Sophos only accepts .pem format, I tried to convert my .crt to .pem via the OpenSSL Toolkit

openssl.exe x509 -in cert.crt -outform PEM -out cert.pem

But the resulting .pem isn't accepted by the Sophos.

Our Exchange Server is 2016. I'll try to upgrade to XGv16 but what i've read its still beta isn't it? Do you have a download link for me? My XG115 finds no updates!
Cancel
Vote Up 0 Vote Down

Cancel
0 lferrara over 8 years ago in reply to RobertMarkusfeld

Robert,

your certificate should include even key. Try to generate and import using pkcs12 format. https://community.sophos.com/kb/en-us/118084

Here the Download XG v16 link: https://community.sophos.com/products/xg-firewall/b/xg-blog/posts/sfos-16-01-0-released-1523397409
Cancel
Vote Up 0 Vote Down

Cancel