This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Need secure email with our bank. How to configure TLS encryption in SEA?

Our bank has requested we setup TLS encryption to secure email transmission with them.  I've begun the setup but when I test it against hotmail or gmail I get a failure:

 

TLS is required, but was not offered by host mx4.hotmail.com

- or -

TLS is required, but was not offered by host alt4.gmail-smtp-in.l.google.com

 

- I've exported our cert from our Exchange and imported it into SEA... 
- Both Exchange and SEA are natted to the same IP.
- TLS is enabled.
- Our MX record matches our certificate name

 

Any assistance would be appreciated or some detailed instructions.



This thread was automatically locked due to age.
  • Evening,

    Try sending an email from one of the accounts handled by your exchange server. I may be missing something, but what do either Gmail or Hotmail have to do with your Exchange server? I'm not being sarcastic, I'm just puzzled.

    Regards,

    Neil.

  • Hi Neil,

    Thanks for answering, maybe I'm not explaining myself well.  I'm sending from an internal Exchange account to an external Hotmail and Gmail email address as a test.  My thinking is Hotmail and Gmail are both TLS enabled and if it works there it should work for any domain I assign (in SEA).  Once it is working I would add the bank's domain for TLS.  However, so far I can't get SEA to transmit to either Hotmail or Gmail (or the bank with the domain added to SEA).  All have the same log message "TLS is required, but not offered...". 

    Thanks

  • Morning,

    Let's just run through the set up.

    Ensure TLS is enabled Configuration>Policy>SMTP authentication. Check the Enforce TLS option then click Configure TLS settings

    Ensure that TLS is enabled and then click on the Active certificate link.

    Ensure you're using the correct certificate.

    If all is working correctly the TLS should function. Remember, you can't force the far end to use TLS, but if both parties support TLS then it should work.

    You can find the user guide here:

    http://esa.sophos.com/ug/pdf/sea_ug.pdf

    TLS is covered in some depth throughout several sections.

    Regards,

    Neil.

  • Hi Neil,

    Thank you for the instructions, it confirmed my setup was correct.  I finally found the problem was on our firewall (a Cisco ASA).  In its default inspection policy it was inspecting ESMTP and blocking the connection.

    Cisco ASA --> Service Policy Rules --> "inspection_default" - Rule Actions tab --- Disable ESMTP

    I've decided to go with the self-signed certificate for now.  Our bank does not require certificate validation at this time.

    Thank you for your assistance.

  • Your answer helped clear up some things similar to this. Maybe you can speak more to this? I assume GoDaddy, a Sophos managed certificate would have the whole chain. But I run CheckTLS.com against the Sophos Email Appliance (SEA) and get a warning that the intermediate is, "not validated: unable to get local issuer certificate." The handshakes look up the root, certifies and starts the TLS encryption after a second pass-so it encrypts. Don't want to break it but I may have to add it locally in Configuration | System | Certificates | Trusted Cert Auth, Configuration, Locally-Managed | Add. Thanks for your take on it.

    Patrick

  • Hi Patrick,

    I don't think you could break it by adding your cert to the locally managed section.  I agree, you may need to include the whole chain.

    I did ask the following questions as well...

    Quote from Sophos Support:

    Q:  Should I be concerned about “unable to verify server certificate” if I’m using self-signed certificates?
    A:  No this is Normal behavior, you can get rid of this error if you like by buying a 3rd party certificate and uploading it to the device.

    Q:  Our Exchange server is listed as untrusted but also appears to use a self-signed cert.  Should I be concerned about this?
    A:  No this is Normal behavior, you can get rid of this error if you like by buying a 3rd party certificate and uploading it to the device.

    Hope this helps.

    Thanks

  • Thanks for that. Here's an update of my results. I use GoDaddy SSL certs. I have since added their "intermediates" to the locally managed tab. The Sophos managed tab does have GoDaddy certificates but I would say the intermediates are not included or (SOSDW), some other stuff don't work. I added it, tested with CheckTLS.com and the handshake log was all green-OK. Thanks for the feedback. Patrick