This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

tls encryption should be used for outbound mail proxy (postfix)

Hi there,

we use sophos email appliance 3.8.1.2 and want to send mail through it to the internet. Between sophos appliance and internet is our postfix server that should act as a outbound mail proxy. It also supports tls.

Our goal is to fully encrypt the mail communication via tls. According to the email information, this is not the case, as seen below:

Received: from OUR-POSTFIX-SERVER ([IP-ADRESS]) by EXTERNAL-MAILSERVER-FROM-PROVIDER
    with (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384 encrypted)
    esmtp id 1ZDZl3-07BTEG0; Fri, 10 Jul 2015 16:58:33 +0200
Received: from OUR-SOPHOS-APPLIANCE (unknown [IP-ADRESS])
    by OUR-POSTFIX-SERVER (Postfix) with SMTP id 3B44919208CC
    for <MY-PRIVATE-EMAIL-ADRESS>; Fri, 10 Jul 2015 16:58:33 +0200 (CEST)

In short, our sophos appliance does not encrypt the email to the outbound mail proxy, but our outbound mail proxy encrypts the messages and sends it to our email provider.

We want the sophos appliance to encrypt the email to the outbound mail proxy, according to the first entry "TLSv1.2".

What we did:

- Configuration -> Policy -> Encryption - we activated TLS but did no domain entry, so TLS encryption should be attempted for every domain

- configuration -> Routing -> Outbound Mail Proxy - we put in our postfix server

We test the option "enforce tls" in the outbound mail proxy settings but it is giving us an error:

The appliance failed to send an email addressed to MAIL-ADRESS  (with relay OUTBOUND-MAIL-PROXY:25) at

2015/07/10 14:46:22 because this domain is configured to require TLS, but the appliance failed to establish a TLS connection.

When we don't enforce tls, the email is going through but it does not encrypt from the sophos appliance to our postifx outbound proxy. We noticed the following message in the log - what can we do to solve it?

delay=0.19, delays=0.1/0.01/0.07/0, dsn=4.7.4, status=deferred (TLS is required, but was not offered by host OUTBOUND-MAIL-PROXY)
enabling PIX workarounds: disable_esmtp delay_dotcrlf for outbound mail proxy:25
:57932


This thread was automatically locked due to age.
Parents
  • Hello,

    My apologies for the delay.

    "enabling PIX workarounds: disable_esmtp delay_dotcrlf for outbound mail proxy:25"

    The above line in the logs indicate that a cisco device ( mostly firewall ) in your network is sniffing smtp traffic, which it shouldn't.

    Please disable smtp on it and let me know if tls is working as expected.

    Regards,

    Aiman Ansari | Network & Security Engineer 

Reply
  • Hello,

    My apologies for the delay.

    "enabling PIX workarounds: disable_esmtp delay_dotcrlf for outbound mail proxy:25"

    The above line in the logs indicate that a cisco device ( mostly firewall ) in your network is sniffing smtp traffic, which it shouldn't.

    Please disable smtp on it and let me know if tls is working as expected.

    Regards,

    Aiman Ansari | Network & Security Engineer 

Children
No Data