This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Need secure email with our bank. How to configure TLS encryption in SEA?

Our bank has requested we setup TLS encryption to secure email transmission with them.  I've begun the setup but when I test it against hotmail or gmail I get a failure:

 

TLS is required, but was not offered by host mx4.hotmail.com

- or -

TLS is required, but was not offered by host alt4.gmail-smtp-in.l.google.com

 

- I've exported our cert from our Exchange and imported it into SEA... 
- Both Exchange and SEA are natted to the same IP.
- TLS is enabled.
- Our MX record matches our certificate name

 

Any assistance would be appreciated or some detailed instructions.



This thread was automatically locked due to age.
Parents
  • Evening,

    Try sending an email from one of the accounts handled by your exchange server. I may be missing something, but what do either Gmail or Hotmail have to do with your Exchange server? I'm not being sarcastic, I'm just puzzled.

    Regards,

    Neil.

  • Hi Neil,

    Thanks for answering, maybe I'm not explaining myself well.  I'm sending from an internal Exchange account to an external Hotmail and Gmail email address as a test.  My thinking is Hotmail and Gmail are both TLS enabled and if it works there it should work for any domain I assign (in SEA).  Once it is working I would add the bank's domain for TLS.  However, so far I can't get SEA to transmit to either Hotmail or Gmail (or the bank with the domain added to SEA).  All have the same log message "TLS is required, but not offered...". 

    Thanks

  • Morning,

    Let's just run through the set up.

    Ensure TLS is enabled Configuration>Policy>SMTP authentication. Check the Enforce TLS option then click Configure TLS settings

    Ensure that TLS is enabled and then click on the Active certificate link.

    Ensure you're using the correct certificate.

    If all is working correctly the TLS should function. Remember, you can't force the far end to use TLS, but if both parties support TLS then it should work.

    You can find the user guide here:

    http://esa.sophos.com/ug/pdf/sea_ug.pdf

    TLS is covered in some depth throughout several sections.

    Regards,

    Neil.

  • Hi Neil,

    Thank you for the instructions, it confirmed my setup was correct.  I finally found the problem was on our firewall (a Cisco ASA).  In its default inspection policy it was inspecting ESMTP and blocking the connection.

    Cisco ASA --> Service Policy Rules --> "inspection_default" - Rule Actions tab --- Disable ESMTP

    I've decided to go with the self-signed certificate for now.  Our bank does not require certificate validation at this time.

    Thank you for your assistance.

Reply
  • Hi Neil,

    Thank you for the instructions, it confirmed my setup was correct.  I finally found the problem was on our firewall (a Cisco ASA).  In its default inspection policy it was inspecting ESMTP and blocking the connection.

    Cisco ASA --> Service Policy Rules --> "inspection_default" - Rule Actions tab --- Disable ESMTP

    I've decided to go with the self-signed certificate for now.  Our bank does not require certificate validation at this time.

    Thank you for your assistance.

Children
No Data