Version 9.508 is released:
Maybe we could collect some reports about problems or hopefully no problems. Maybe please tell us about the modules (Network, Web, WAF, Mail, WLAN..) you use if you successful updated to 9.508.
Best
Alex
P.S. With the production system, I'll wait a little bit ;-)
Regarding the new Mail encryption we got the following information from one recipients IT dept. where signed Mails get blocked from their Gateway:
"nicht unsere SPAM-Firewalls blockieren diese Mails, sondern das dahinterliegende E-Mailverschlüsselungsgateway, welches die S/Mime Signatur als nicht RFC konform bemängelt und daher die Mails ablehnt."
=> Sophos´ encryption is not RFC conformal and thus blocked by their gateways
Sophos CA, certs (now SHA512) were recreated after the update. We did not create a new CA cert as this would break many things like ssl proxy etc.
NDR from the external MTA looks like this:
X-ASG-Debug-ID: 1520<removed>f0001-PIMyqA
Received: from <removed> by <removed> with ESMTP id n3UkXHeBZrv8SwzT (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for <<removed>; Wed, 07 Mar 2018 10:18:59 +0100 (CET)
X-Barracuda-Envelope-From: <removed>
X-Barracuda-Effective-Source-IP: <removed>
X-Barracuda-Apparent-Source-IP: <removed>
X-CTCH-RefID: str=0001.0A0C0207.5A9FABF0.0349,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0
From: "<removed>>
To: "<removed>
Subject: <removed>
X-ASG-Orig-Subj: F<removed>
Thread-Index: AdO18lbdXnyz7fldQ2+CJClq+1bY/g==
Date: Wed, 7 Mar 2018 09:07:59 +0000
Message-ID: <26c8089a06e249a5bc07ae9ed7f69e<removed>>
Accept-Language: de-DE, en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [fd30:dd2b:<removed>]
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="----59E2778A23B1E9BEB26990735606E06C"
X-Barracuda-Connect: <removed>
X-Barracuda-Start-Time: 1520414339
X-Barracuda-Encrypted: ECDHE-RSA-AES256-GCM-SHA384
X-Barracuda-URL: https://m<removed>mark.cgi
X-Barracuda-BRTS-Status: 1
X-Virus-Scanned: by bsmtpd at <removed>
X-Barracuda-Scan-Msg-Size: 21889
X-Barracuda-Spam-Score: 0.00
X-Barracuda-Spam-Status: No, SCORE=0.00 using global scores of TAG_LEVEL=2.0 QUARANTINE_LEVEL=2.0 KILL_LEVEL=3.0 tests=BSF_SC0_MISMATCH_TO, HTML_MESSAGE
X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.3.48677
Rule breakdown below
pts rule name description
---- ---------------------- --------------------------------------------------
0.00 HTML_MESSAGE BODY: HTML included in message
0.00 BSF_SC0_MISMATCH_TO Envelope rcpt doesn't match header
This is an S/MIME signed message
Sophos CA, certs (now SHA512) were recreated after the update. We did not create a new CA cert as this would break many things like ssl proxy etc.
NDR from the external MTA looks like this:
X-ASG-Debug-ID: 1520<removed>f0001-PIMyqA
Received: from <removed> by <removed> with ESMTP id n3UkXHeBZrv8SwzT (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for <<removed>; Wed, 07 Mar 2018 10:18:59 +0100 (CET)
X-Barracuda-Envelope-From: <removed>
X-Barracuda-Effective-Source-IP: <removed>
X-Barracuda-Apparent-Source-IP: <removed>
X-CTCH-RefID: str=0001.0A0C0207.5A9FABF0.0349,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0
From: "<removed>>
To: "<removed>
Subject: <removed>
X-ASG-Orig-Subj: F<removed>
Thread-Index: AdO18lbdXnyz7fldQ2+CJClq+1bY/g==
Date: Wed, 7 Mar 2018 09:07:59 +0000
Message-ID: <26c8089a06e249a5bc07ae9ed7f69e<removed>>
Accept-Language: de-DE, en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [fd30:dd2b:<removed>]
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="----59E2778A23B1E9BEB26990735606E06C"
X-Barracuda-Connect: <removed>
X-Barracuda-Start-Time: 1520414339
X-Barracuda-Encrypted: ECDHE-RSA-AES256-GCM-SHA384
X-Barracuda-URL: https://m<removed>mark.cgi
X-Barracuda-BRTS-Status: 1
X-Virus-Scanned: by bsmtpd at <removed>
X-Barracuda-Scan-Msg-Size: 21889
X-Barracuda-Spam-Score: 0.00
X-Barracuda-Spam-Status: No, SCORE=0.00 using global scores of TAG_LEVEL=2.0 QUARANTINE_LEVEL=2.0 KILL_LEVEL=3.0 tests=BSF_SC0_MISMATCH_TO, HTML_MESSAGE
X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.3.48677
Rule breakdown below
pts rule name description
---- ---------------------- --------------------------------------------------
0.00 HTML_MESSAGE BODY: HTML included in message
0.00 BSF_SC0_MISMATCH_TO Envelope rcpt doesn't match header
This is an S/MIME signed message
KBA with workaround is updated.
In case a third-party certificate with the new algorithms could not be fetched the old behaviour needs to be restored by using the old algorithms.
For that logon via ssh to the commandline ( cli) , get root and execute the following command: cc set smtp encryption_utility smime
After that the old algorithms are used again.
At any point in time later on its possible to switch to the new algorithms by
logging on to the cli and entering: cc set smtp encryption_utility cms
https://community.sophos.com/kb/en-us/131727
__________________________________________________________________________________________________________________
Glad to hear, Sophos is listening and cares.
manbearpig said:KBA with workaround is updated.
In case a third-party certificate with the new algorithms could not be fetched the old behaviour needs to be restored by using the old algorithms.
For that logon via ssh to the commandline ( cli) , get root and execute the following command: cc set smtp encryption_utility smime
After that the old algorithms are used again.
At any point in time later on its possible to switch to the new algorithms by
logging on to the cli and entering: cc set smtp encryption_utility cms
https://community.sophos.com/kb/en-us/131727
-
