TLS - Outbound TLS certificate presentation

In which log are you seeing this?

Cheers - Bob

This log was provided by the counter part. They said, if we do not present a certificate in our outgoing email they'll have to lower security on their end to make TLS work.

Please show a picture of the 'TLS Settings' section of the 'Advanced' tab in 'SMTP'.  Also, paste here the SMTP log lines corresponding to the line above where they say TLS was not negotiated.

Cheers - Bob

TLS as such is successful. They don't say TLS was not negotiated, but that the TLS certificate is not presented. In the SMTP logs we cannot find anything in regards to certificate verification.

What do you get from https://www.checktls.com/TestSender and https://www.checktls.com/TestReceiver?

Cheers - Bob

The Test Receiver is fine. The certificate is being validated:

STARTTLS command works on this server
Connection converted to SSL
Certificate 1 of 3 in chain: Cert VALIDATED: ok
Certificate 2 of 3 in chain: Cert VALIDATED: ok
Certificate 3 of 3 in chain: Cert VALIDATED: ok
TLS successfully started on this server

The Test Sender is successful, however, does not seem to validate a certificate:

The transcript of the eMail SMTP session is below, with:
--> this is a line from your email system to us (~~> when encrypted)
<-- this is a line to your email system from us (<~~ when encrypted)
=== this is a line about the tls negotiation (cypher, cert, etc)
*** this is an error, warning, or info line that the test found

<-- 220 ts6.checktls.com ESMTP TestSender Thu, 14 Jun 2018 02:27:30 -0400
--> EHLO mx.domain.com
<-- 250-ts6.checktls.com Hello  [IP], pleased to meet you
<-- 250-ENHANCEDSTATUSCODES
<-- 250-8BITMIME
<-- 250-STARTTLS
<-- 250 HELP
--> STARTTLS
<-- 220 Ready to start TLS
====tls negotiation successful (cypher: AES256-GCM-SHA384)
client cert:
Subject Name: undefined
Issuer  Name: undefined
~~> EHLO mx.domain.com
<~~ 250-ts6.checktls.com Hello  [IP], pleased to meet you
<~~ 250-ENHANCEDSTATUSCODES
<~~ 250-8BITMIME
<~~ 250 HELP
~~> MAIL FROM:<sender@domain.com>
<~~ 250 Ok - mail from sender@domain.com
~~> RCPT TO:<test@testsender.checktls.com>
<~~ 250 Ok - recipient test@testsender.checktls.com
~~> DATA
<~~ 354 Send data.  End with CRLF.CRLF
.....
<~~ 250 Ok
~~> QUIT
<~~ 221 ts6.checktls.com closing connection

I hadn't noticed that.  Interestingly, the same happens for a mail account that I have that's hosted by Google.

Cheers - Bob

I'm running into a similar issue with a customer of mine.  One of their vendors is requiring Certificate Verification on both ends for SMTP.  I don't actually see an option in the Sophos UTM to even enable or enforce this, and my experience with SMTP in general (not just sophos but mail servers) is that they do no Certificate Verification.  They use TLS and accept / negotiate the TLS connection without any verification.. And this allows you to even use self signed certs..

So does the UTM actually have this ability?

Marv, please get a case open with Sophos Support.  When you get a case#, PM sachingurung with the # and a link to your post here.  I suspect that the customer is confused about this, but I would rather have a formal statement from Sophos.

Cheers - Bob