This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Need secure email with our bank. How to configure TLS encryption in SEA?

Our bank has requested we setup TLS encryption to secure email transmission with them.  I've begun the setup but when I test it against hotmail or gmail I get a failure:

 

TLS is required, but was not offered by host mx4.hotmail.com

- or -

TLS is required, but was not offered by host alt4.gmail-smtp-in.l.google.com

 

- I've exported our cert from our Exchange and imported it into SEA... 
- Both Exchange and SEA are natted to the same IP.
- TLS is enabled.
- Our MX record matches our certificate name

 

Any assistance would be appreciated or some detailed instructions.



This thread was automatically locked due to age.
Parents
  • Your answer helped clear up some things similar to this. Maybe you can speak more to this? I assume GoDaddy, a Sophos managed certificate would have the whole chain. But I run CheckTLS.com against the Sophos Email Appliance (SEA) and get a warning that the intermediate is, "not validated: unable to get local issuer certificate." The handshakes look up the root, certifies and starts the TLS encryption after a second pass-so it encrypts. Don't want to break it but I may have to add it locally in Configuration | System | Certificates | Trusted Cert Auth, Configuration, Locally-Managed | Add. Thanks for your take on it.

    Patrick

  • Hi Patrick,

    I don't think you could break it by adding your cert to the locally managed section.  I agree, you may need to include the whole chain.

    I did ask the following questions as well...

    Quote from Sophos Support:

    Q:  Should I be concerned about “unable to verify server certificate” if I’m using self-signed certificates?
    A:  No this is Normal behavior, you can get rid of this error if you like by buying a 3rd party certificate and uploading it to the device.

    Q:  Our Exchange server is listed as untrusted but also appears to use a self-signed cert.  Should I be concerned about this?
    A:  No this is Normal behavior, you can get rid of this error if you like by buying a 3rd party certificate and uploading it to the device.

    Hope this helps.

    Thanks

Reply
  • Hi Patrick,

    I don't think you could break it by adding your cert to the locally managed section.  I agree, you may need to include the whole chain.

    I did ask the following questions as well...

    Quote from Sophos Support:

    Q:  Should I be concerned about “unable to verify server certificate” if I’m using self-signed certificates?
    A:  No this is Normal behavior, you can get rid of this error if you like by buying a 3rd party certificate and uploading it to the device.

    Q:  Our Exchange server is listed as untrusted but also appears to use a self-signed cert.  Should I be concerned about this?
    A:  No this is Normal behavior, you can get rid of this error if you like by buying a 3rd party certificate and uploading it to the device.

    Hope this helps.

    Thanks

Children
  • Thanks for that. Here's an update of my results. I use GoDaddy SSL certs. I have since added their "intermediates" to the locally managed tab. The Sophos managed tab does have GoDaddy certificates but I would say the intermediates are not included or (SOSDW), some other stuff don't work. I added it, tested with CheckTLS.com and the handshake log was all green-OK. Thanks for the feedback. Patrick