This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Configure TLS encryption in Sophos Email Applliance

Hi,

I would like to enforce TLS encryption for all email communication between our domain and another domain. We are using Sophos email appliance ES100. Could someone please help me on this.

What is the prerequisites required for that?

Do i need to apply a certificate from external party?

Can we use wild card certificate? Steps to configure?

 

Regards

Ansar 



This thread was automatically locked due to age.
Parents
  • Hi Ansar,

    setting up tls initially is as easy as clicking on / configuration / policy / encryption enable tls.

    under / configuration / system / certificates / ensure you enable one for tls

    once that is done the appliance will always try tls first

     

    back on the encryption tab you can set up incoming and outbound connections for your domain.. just select require encryption. 

     

    this will establish tls using the appliances default self signed certificate.

     

    options:

    if you require encryption AND validation you will need to get a CA signed certificate. 

    under the certificates section, click add.

    initiate a CSR

    fill out all of the questions, ensure the hostname of the appliance is in CN

     * if you require a wild card certificate you will need to manually create and submit that to a CA as the appliance will only generate a single CN

     * I do not recommend using a wildcard cert on email, generate a single cert on each appliance and get the cheapest 5$ dodaddy cert. you only need it signed all of the other features are not used for tls.

     

    take the output of the CSR generation and send it to godaddy and get it signed.. they will give you a CA bundle.. click on the (pending - upload certificate) and paste in the responses.. ensure there are no spaces or extra lines

     

    once that's done, select it for tls in the encryption area. 

     

    if you still wish to use a wildcard cert or do not submit the CSR from the appliance you will need to fully assemble your own certificate.  

    here is my instructions on that: 

    community.sophos.com/.../357571

Reply
  • Hi Ansar,

    setting up tls initially is as easy as clicking on / configuration / policy / encryption enable tls.

    under / configuration / system / certificates / ensure you enable one for tls

    once that is done the appliance will always try tls first

     

    back on the encryption tab you can set up incoming and outbound connections for your domain.. just select require encryption. 

     

    this will establish tls using the appliances default self signed certificate.

     

    options:

    if you require encryption AND validation you will need to get a CA signed certificate. 

    under the certificates section, click add.

    initiate a CSR

    fill out all of the questions, ensure the hostname of the appliance is in CN

     * if you require a wild card certificate you will need to manually create and submit that to a CA as the appliance will only generate a single CN

     * I do not recommend using a wildcard cert on email, generate a single cert on each appliance and get the cheapest 5$ dodaddy cert. you only need it signed all of the other features are not used for tls.

     

    take the output of the CSR generation and send it to godaddy and get it signed.. they will give you a CA bundle.. click on the (pending - upload certificate) and paste in the responses.. ensure there are no spaces or extra lines

     

    once that's done, select it for tls in the encryption area. 

     

    if you still wish to use a wildcard cert or do not submit the CSR from the appliance you will need to fully assemble your own certificate.  

    here is my instructions on that: 

    community.sophos.com/.../357571

Children
  • Hi Red,

    ok. We will go for a standard domain name certificate instead of wild card.

    I will mention the process. correct me if i am wrong.

    Create a CSR

    Upload the CSR to trusted CA and download the certificate.

    Complete the CSR request by adding the certificate.

    Use this certificate for TLS communication. 

     

    My question is

    What will be the Domain name i need to use while creating CSR? is it the same that we hosted in public dns Eg: webmail.domain.com?

    Requirement is to use TLS when sending or receiving emails to a particular domain. we can configure TLS encryption in appliance for only one domain..right?

    We will buy the certificate from Digicert? It can be configured in appliance right?

     

    Awaiting your response.

    Thanks

    Ansar

  • Hi Ansar,

     

    the cert's common name should match the email appliance fqdn.  Also ensure reverse dns resolves to the appliance.  If you complete the signing request on the appliance the private key will always remain on the appliance.. so when you get your response from digicert.. it will append the information and combine your private key automatically. 

     

    as for configuring domains for tls, yes you can have as many as you like, just enter the domain into the tls section and select require encryption, or require and validate.

     

    require simply means some level of tls is required, could be 1.2 or 1.1 

    require and validate will also validate the cert.. keep in mind if the recipient uses a self signed certificate, this is NOT valid, so mail would not be sent. 

     

    Other than that you should be all good to go.