since v19.0EAP2 TLS/SSL decrypt IMAPS POPS

A bit crazy:

What is that cert with it trys to encrypt traffic?

SSL/TLS Setting:

I found that SSL/TLS failed on mail decryption after migrating to v18.5.1 mr-1 and now v19 EAP2 has failed on imaps scanning in normal firewall rules.

ian

Certifikate issue also makes problems recrypt https traffic, trying to regenerate the SecurityAppliance doesnt work.
Problem still exist. I dont know what this "Untrusted" certifikate came from.
I now switch Re-sign with "Default" certifikate.
Now its working fine.

Path to v19:

Running 18.5MR2 -> create backup -> create fresh v19 EAP2 HyperV from installer -> @ frist setup, import backup

Hi,

thank you for the pointer. I was sure I had checked that setting, but obviously not. Well, not looking good, might need to restart the mail clients because it has not finished checking for something that should take a couple of seconds not minutes.

What is disturbing is that the upf=grade change the security settings without advising the admin that changeds had been made. Not good.

Ian

Failed, nothing in the logs showing failure but all mail servers timeout when being checked for mail.

Ian

Further checking found something I had not noticed before that the default is MTA mode, changed to transparent mode and testing.

Changed CAs

Changed mail to legacy mode

changed mail firewall rule to use web proxy (should not have had any affect)

rebooted XG to see if that would change the mail scanning CAs and appears to have worked.

So, which of the above items was the cause of failure and required a reboot to become operational?

Ian

SMPT/s scanning still fails the CA as being untrusted. Might need to re-install mail on the ipad, that has worked in the past, otherwise disable Smtps scanning again.

Not just the iPad, aldo mac mail on th emac mini, the CA as not valid because the name is wrong, the CA is issued for many of the mail providers sites and th email name is not the sam was the email server's.

Ian

Die you try to change the certificate for SMTP?

Do you get the same crazy "untrusted" certificate?

I am not using SMTP mail proxy @ my XG.

Yes, I changed the smtp ca and yes I get the untrusted ca.

I disabled smtp scanning again.

ian

Is it related to your change of IPS: https://community.sophos.com/sophos-xg-firewall/sfos-v19-early-access-program/f/recommended-reads/132522/eap2-please-try-this-ips-scanning-enhancement ?