Version 9.508 - report on experience

Version 9.508 is released:

https://community.sophos.com/products/unified-threat-management/b/utm-blog/posts/utm-up2date-9-508-released

Maybe we could collect some reports about problems or hopefully no problems. Maybe please tell us about the modules (Network, Web, WAF, Mail, WLAN..) you use if you successful updated to 9.508.

Best
Alex

P.S. With the production system, I'll wait a little bit ;-)

  • Updatet

    Changed my smtp exim

  • In reply to oldeda:

    What changed, Olsi?

    After 2 days on 9.508, no problems seen yet with Firewall, NAT, Routing, Web Filtering, Wireless & SMTP Proxy.

    Cheers - Bob

  • In reply to BAlfson:

    Editet the exim for some tweaks, but i had a backup.

    Not a big deal

  • Since 9,508 the digital signature is considered invalid for emails. However, I don't know if this is an error in email-encrption.

    PS: outgoing Emails...

  • In reply to ThorstenSult:

    Hey Thorsten,

    which client do you use to check the signature, Outlook?

    Best

    Alex

  • In reply to ThorstenSult:

    Thorsten, if you follow the KB article that MBP posted above, deleting and regenerating your S/MIME cert on the 'Internal Users' tab of 'Encryption', does this error still appear after you've sent a signed or encrypted email?

    Cheers - Bob

  • In reply to BAlfson:

    It doesn't matter which email client (Thunderbird, Outlook...) I had already completely reset the CA and re-configured the certificates. The error still exists. I have a SMTP dump for analysis. I'm still waiting for an answer from the support.

  • I dont know if that was before.

    I just put Email Verification with AD. But the rejected Notification says Address Not  Found in Active Directory

    I think the notification must be something else, not to let everyone to see that I have an AD

  • In reply to ThorstenSult:

    Unfortunately I can confirm, that a even with a V9.508 CA created and signed message will lead to an error at the recipient site.

     

    Markus

  • In reply to Markus S.:

    What error does the recipient see, Markus - a picture, maybe?

    Cheers - Bob

  • In reply to BAlfson:

    If the recipient uses f.e. thunderbird he will get:

     

     

    Some recipient bounce our mails and return: the digital signature is invalid.

     

    To be clear: email encryption does not work for us since updating to V9.508!  That's awful. We have about 450 email encryption users an use sophos generated certificates.

    On a 2nd utm whith V9.508 I tested to reset email encryption, created a new ca and created a new user. -> Same error.

     

    In my opinion the statement in kb 131727 is wrong:  "Note: You do not have to regenerate the certs to get S/MIME working. The new engine will work fine without deleting and regenerating certificates. Correcting the SHA1 vulnerability requires certificate regeneration, which will require the users to be deleted and re-added"

     

    Markus

     

     

  • In reply to Markus S.:

    I have revoked my S/Mime and applied again with stonger key. Then I set it up in the email encryption. The error still exists. The signature is invalid for the recipient. I´m still waiting for an answer from the support.

  • Running with it since the soft-release.

    I thin aI see an increased memory usage from the http proxy, anyone seeing this?

     

    810       9345 33.9 36.9 1812024 1484612 ?     Ssl  20:40   0:33 /var/chroot-http/usr/bin/httpproxy -f -c /var/chroot-http -u httppr

    Having 4gb memory in the appliance and it's a 88%, when I shutdown http proxy it moved to 41%.

    Only my private servers are behind and no throughput to talt about :-)

    (Runnning on old UTM 320 appliance with SSD)

    Regards Martin
  • In reply to twister5800:

    I notice that it takes a lot more when it starts httpproxy, Martin, but I have the same device on 9.508 and httpproxy is at 16%.

    Cheers - Bob