How do I determine what version of TLS my UTM is using when sending email?
This thread was automatically locked due to age.
'TLS Settings' on the 'Advanced' tab of 'SMTP'. Is that what you were looking for, Steve?
Note that selecting TLSv1.2 doesn't guarantee that it will be used unless you specify that it must in the configuration options following that. The Proxy will start with 1.2 and will fall back to 1.1, 1.0 and no TLS in sequence if the other MTA doesn't support the higher level.
To see how many were sent using the various versions of TLS this year:
secure:/home # zgrep 'exim-out' /var/log/smtp/2019/*/*|grep 'R=dnslookup'|grep -oP 'TLS.*?\:'|sort -n|uniq -c
6 TLSv1:
444 TLSv1.2:
Cheers - Bob
Alex, that would always give TLSv1.2, but if his SMTP Proxy were to connect with an MTA that only has TLSv1.1, it would drop back to that and use it.
GDPR requires TLSv1.2, so I imagine that setting the minimum TLS to that and requiring it of "Any" makes sense in Europe.
Cheers - Bob
I agree, but unless you’re a very, very big company, you can’t simply disable plain and enforce TLS. There is this little percentage with plain smtp out there.
In (my) world you have to negotiate with everyone you exchange GDPR related emails and end up with enforcing TLS. Did that with a bank here in Germany 2 weeks ago. Their approach is enforcing TLS. UTM is not ideal for that because you can enforce mail servers, but not domains.
Best regards
Alex
-
Agreed, Alex, I think I posted late last year about an approach to enforce SMTP TLSv1.2. What do you mean by enforcing domains? You mean with WAF?
Cheers - Bob
Hi Bob,
I mean in UTM you can enforce TLS only to specific hosts. Not possible for an email domain like @company.com .
For small companies no real problem, but if one uses a cluster of some more hosts or they change for some reason their mx host without you letting know, the enforcement is gone. Not sure if some Spam Protection based on cloud technology are changing the hosts more often, but this could be an example.
So it would better if UTM would allow to specify @company.com instead or better alternative to a host.
Best regards
Alex
-
Your request for this feature brings out all of my frustration with the email filtering market for small and medium enterprises. I am frustrated with Sophos, but they are not alone.
Sophos now has 5 different mail filtering products: PureMessage, UTM, XG, SEA, and Reflexion. These products appear to cover most of the possible deployments (Exchange embedded, appliance, and cloud) -- only hybrid is missing. It may be significant that at least 3 of the 5 are acquisitions. Sophos has an UTM/XG product manager, but is there an email architecture manager who is driving all of their email security products to a minimum-necessary set of security defenses?
I wonder how much information flow occurs between their corporate email security teams and their product development teams. They have glaring omissions which should be obvious to anyone who has to operate email defenses. Among them:
Replacing EXIM is the only piece that is conceptually difficulty software to implement. What seems to be lacking is either attention to the problem or an understanding of the problem.
I think there is a huge opportunity to the vendor who implements these features at an SME price point.
