TLS 1.2 Mandatory setzen

Hallo Marc,

(Sorry, my German-speaking brain isn't creating thoughts at the moment. )

Since you certainly have a paid subscription, don't do the following until it has been "blessed" by Sophos Support.

There's probably a line (about 297) in /var/chroot-smtp/etc/exim.conf that contains

openssl_options = +no_sslv3

Change that to:

openssl_options +no_sslv2 +no_sslv3 +no_tlsv1 +no_tlsv1_1

And restart the Proxy:

/var/mdw/scripts/smtp restart

In my opinion Sophos should make a KnowledgeBase article for this fix for everyone in Europe.

MfG - Bob (Bitte auf Deutsch weiterhin.)

Thanks Bob. As GDPR is comming, I am sure that will be useful for me too. But of course I will first get in touch with Sophos support. Maybe if enough tickets to that relate they release a kba.

Best

Alex

Thanks for your support, guys.

I sent messages to Sachin Gurung and Karlos with a link to my thread above.  Karlos seems to be an author of several KB articles, so I hope we can look forward to a whole pack of articles that attack the GDPR challenges.

Opening Support Tickets will give more attention to Karlos' suggestions to management.

MfG - Bob (Bitte auf Deutsch weiterhin.)

Thanks Bob !

There's also an Feature Request:  https://ideas.sophos.com/forums/17359-sg-utm/suggestions/32791042-email-protection-tls-version-and-ciphersuite-se

Greetings, Peter

Danke Jungs für die Antworten. Das ist natürlich nicht wirklich eine Ideallösung. Ich hoffe das Sophos hier schnell die Vorschläge umsetzt. Jedoch finde ich keine Aussage bezürglich, was passiert wenn abgelehnt?

Nachdem ja nun ca. 3 Monate vorbei sind kann mir jemand sagen ob sich hier eventuell was getan hat ? Ich komme nicht dazu mich weiter ein zu lesen ...

Are you requiring TLS 1.2 for all outbound connections?  If so, how is that working for you?

For sites that cannot do TLS 1.2, if encryption is not mandatory, then any mail server will fall back from TLS 1.0 to no encryption.   I don't see how that is an improvement in security.

To show compliance with a mandate like this, you really need two things:  (1) a setting to cause the desired behavior in the future, and (2) log data to prove that the setting was in effect at any point in time that might be of interest to an auditor or lawyer.    Fortunately, the SMTP log shows the inbound and outbound cipher settings, if you hunt for it.   

If you can effectively parse the SMTP logs into a database structure, you can respond to audit questions at any level of complexity.   (Look for X=... in the logs to see the way cipher information is represented.)   Also see my post from earlier today for an annotated example of the log data.

https://community.sophos.com/products/unified-threat-management/f/management-networking-logging-and-reporting/103336/understanding-the-smtp-logs

If Sophos is really going to help its UTM customer base with GDPR, they really need to make IView into a database tool for querying the logs, rather than leaving it in its present state as a tool for generating beautiful summary reports.   I would be reluctant to give a summary report to a manager unless I knew how to generate the supporting detail, and when I last looked at IView, it could not provide those details.

Wir wollen ja den Fallback verhindern. Sollte ein Server kein TLS 1.2 unterstützen dürfen dort keine Mails hin geschickt werden.
Einen Folgeprozess dazu erarbeiten wir gerade. 

Wir wollen ja den Fallback verhindern. Sollte ein Server kein TLS 1.2 unterstützen dürfen dort keine Mails hin geschickt werden.
Einen Folgeprozess dazu erarbeiten wir gerade. 

Hallo Marc,

das Erzwingen von TLS ist via GUI möglich, TLS 1.2 über die Konsole, siehe Post oben von Bob.

Kommt diese Lösung Deinen Anforderungen nicht nach?

Beste Grüße

Alex

Hallo Zusammen,

wie man von mehreren Stellen lesen kann, akzeptiert Office 365 ab Oktober 2018 nur noch Mailserver die mit TLS 1.2 verschlüsseln, andere Methoden werden nicht unterstützt. Kann man denn in der GUI einstellen, das er erst TLS 1.2 prüfen soll und nur im Notfall mit TLS 1.1 oder 1.0 sendet?

VG Uli

Unknown said:

Hallo Zusammen,

wie man von mehreren Stellen lesen kann, akzeptiert Office 365 ab Oktober 2018 nur noch Mailserver die mit TLS 1.2 verschlüsseln, andere Methoden werden nicht unterstützt. Kann man denn in der GUI einstellen, das er erst TLS 1.2 prüfen soll und nur im Notfall mit TLS 1.1 oder 1.0 sendet?

VG Uli

 

Genau das ist das Standardverhalten, entsprechendes Fallback TLS 1.2 -> 1.1 -> 1.0 -> unverschlüsselt.

Alex

Alexander Busch said:

Hallo Marc,

das Erzwingen von TLS ist via GUI möglich, TLS 1.2 über die Konsole, siehe Post oben von Bob.

Kommt diese Lösung Deinen Anforderungen nicht nach?

Beste Grüße

Alex

 

Sorry für die späte Antwort. Dies kommt schon der Anforderung nach jedoch muss die Änderung über die Console nach jedem Update erneut durchgeführt werden.

Ab 9.510 kann die TLS-Version über den Webmin gesetzt werden!

9.510 is not yet perfected.  See Sophos UTM 9.510-4 released - let's share experiences! to confirm that one of the glitches mentioned is not a showstopper for your installation.

Cheers - Bob

Die TLS Probleme wurden mit der 9.510-5 behoben.

Was passiert nun mit MTA, die kein TSL unterstützen? Wird die Mail einfach gedropt? Gibt es eine Möglichkeit, den Log relativ einfach danach zu filtern oder dem Sender eine Nachricht zu schicken, dass wir nur TLS 1.2 akzeptieren (oder passiert das sogar schon)?

You need to look at your logs.   There will be some kind of rejection message.   Below is an example of the log file entries for an incoming message which was accepted and delivered.   A rejected message will have a disconnect during Exim-in. 

A server which cannot connect with encryption is likely to attempt reconnection without encryption.

Identifiable data in this example has been redacted.

Mesages flow from exim-in to smtpd to exim-out
Exim-In uniquely identifies this message as 1gI4Ci-00068x-2h (rows 4, 5, 6, 8, 9, 11, 12)
Exim-Out uniquely identifies this message as 1gI4Cq-00069A-41 (rows 9, 10, 13, 14)

Rows 1,2,3, and 7 are essentially useless because they cannot be matched to a specific mail message.

Row 9 is the critical row for connecting the Exim-In records to the Exim-Out records.
Row 10 contains the data used for Message Manager

Row 4 is the DKIM status report.
Row 5 "ctasd reports unknown" is the antivirus scan result
Row 6 has the encryption details for the incoming connection
Row 13 has the encryption details for the outgoing connection

1) 2018:11:01-00:03:32 defense exim-in[9851]: 2018-11-01 00:03:32 SMTP connection from [<SourceIP>]:47317 (TCP/IP connection count = 1)

2) 2018:11:01-00:03:32 defense exim-in[23619]: 2018-11-01 00:03:32 H=<SourceHost> [<SourceIP>]:47317 Warning: ToCompany.com profile excludes greylisting: Skipping greylisting for this message
2018:11:01-00:03:32 defense exim-in[23619]: 2018-11-01 00:03:32 H=<SourceHost> [<SourceIP>]:47317 Warning: ToCompany.com profile excludes SANDBOX scan

3) 2018:11:01-00:03:32 defense exim-in[23619]: 2018-11-01 00:03:32 [<SourceIP>] F=<FromUser@FromDomain.com> R=<ToUser@ToCompany.com> Accepted: from relay

4) 2018:11:01-00:03:32 defense exim-in[23619]: 2018-11-01 00:03:32 1gI4Ci-00068x-2h DKIM: d=FromDomain.com s=selector1 c=relaxed/relaxed a=rsa-sha256 [verification succeeded]

5) 2018:11:01-00:03:32 defense exim-in[23619]: 2018-11-01 00:03:32 1gI4Ci-00068x-2h ctasd reports 'Unknown' RefID:str=0001.0A02020E.5BDA7B14.0065,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0

6) 2018:11:01-00:03:32 defense exim-in[23619]: 2018-11-01 00:03:32 1gI4Ci-00068x-2h <= FromUser@FromDomain.com H=<SourceHost> [<SourceIP>]:47317 P=esmtps X=TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256 S=15225 id=D0A5A79D8EFA4D12809375CC11D45FB7@mmi.local

7) 2018:11:01-00:03:32 defense exim-in[23619]: 2018-11-01 00:03:32 SMTP connection from <SourceHost> [<SourceIP>]:47317 closed by QUIT

8) 2018:11:01-00:03:34 defense smtpd[9843]: QMGR[9843]: 1gI4Ci-00068x-2h moved to work queue

9) 2018:11:01-00:03:40 defense smtpd[23632]: SCANNER[23632]: 1gI4Cq-00069A-41 <= FromUser@FromDomain.com R=1gI4Ci-00068x-2h P=INPUT S=2511

10) 2018:11:01-00:03:40 defense smtpd[23632]: SCANNER[23632]: id="1000" severity="info" sys="SecureMail" sub="smtp" name="email passed" srcip="<SourceIP>" from="FromUser@FromDomain.com" to="ToUser@ToCompany.com" subject="eStatement Ready for Pickup" queueid="1gI4Cq-00069A-41" size="2511"

11) 2018:11:01-00:03:40 defense smtpd[23632]: SCANNER[23632]: 1gI4Ci-00068x-2h => work R=SCANNER T=SCANNER

12) 2018:11:01-00:03:40 defense smtpd[23632]: SCANNER[23632]: 1gI4Ci-00068x-2h Completed

13) 2018:11:01-00:03:40 defense exim-out[23635]: 2018-11-01 00:03:40 1gI4Cq-00069A-41 => ToUser@ToCompany.com P=<FromUser@FromDomain.com> R=static_route_hostlist T=static_smtp H=<TargetIP> [<TargetIP>]:25 X=TLSv1.2:AES128-SHA256:128 C="250 2.6.0 <D0A5A79D8EFA4D12809375CC11D45FB7@mmi.local> [InternalId=18992] Queued mail for delivery"

14) 2018:11:01-00:03:40 defense exim-out[23635]: 2018-11-01 00:03:40 1gI4Cq-00069A-41 Completed

Hallo Max,

Erstmal herzlich willkommen hier in der Community !

(Sorry, my German-speaking brain isn't creating thoughts at the moment. )

Thanks, Doug, you gave me the following idea.

I believe that messages using TLSv1.1 will be rejected if you have selected a minimum TLS version of 1.2.  I don't expect that anyone uses TLSv1.0 anymore or has no TLS capability, but I don't know that for a fact.

You can check to see which of your correspondents used TLSv1.1 this year with the following at the command line:

 # zgrep 'TLSv1.1' /var/log/smtp/2018/*/* |grep -oP '<= .*? H=' |sort -n|uniq -c|sort -n

You could then email the ones you want to continue receiving mail from that they should have their mail server upgraded to do TLSv1.2.

MfG - Bob (Bitte auf Deutsch weiterhin.)