This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SPX not encrypting using Sophos CCLs

I have SPX enabled on my UTM (9.4.x) and it's working great if I use the Custom Rule keyword that I setup, but it's not working correctly when I try and send a test email to check the functionality of the Sophos CCLs that I've selected. Below is a test email I sent that came through without encryption. I have "Banking routing numbers with qualifying terms [Global]" and "Social Security Numbers [USA]" both checked under the Sophos CCLs (along with several others), but it doesn't seem to work.

********************

Testing for things like SSN 123-45-6789 or Routing 052000113

********************

 Headers:

Received: from BN6PR04MB1106.namprd04.prod.outlook.com (10.173.199.11) by
 DM5PR04MB1117.namprd04.prod.outlook.com (10.173.172.151) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id
 15.20.218.12 via Mailbox Transport; Fri, 10 Nov 2017 16:17:16 +0000
Received: from BN3PR0401CA0017.namprd04.prod.outlook.com (10.162.159.155) by
 BN6PR04MB1106.namprd04.prod.outlook.com (10.173.199.11) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id
 15.20.197.13; Fri, 10 Nov 2017 16:17:14 +0000
Received: from CO1NAM05FT048.eop-nam05.prod.protection.outlook.com
 (2a01:111:f400:7e50::203) by BN3PR0401CA0017.outlook.office365.com
 (2a01:111:e400:51d1::27) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.218.12 via Frontend
 Transport; Fri, 10 Nov 2017 16:17:14 +0000
Authentication-Results: spf=pass (sender IP is xx.xx.xx.xx)
 smtp.mailfrom=xxxxxxxxxxx.com; xxxxxxxxxxx.com; dkim=none (message
 not signed) header.d=none;xxxxxxxxxxx.com; dmarc=pass action=none
 header.from=xxxxxxxxxxx.com;
Received-SPF: Pass (protection.outlook.com: domain of xxxxxxxxxxx.com
 designates xx.xx.xx.xx as permitted sender) receiver=protection.outlook.com;
 client-ip=xx.xx.xx.xx; helo=asg.xxxxxxxxxxx.com;
Received: from asg.xxxxxxxxxxx.com (xx.xx.xx.xx) by
 CO1NAM05FT048.mail.protection.outlook.com (10.152.96.163) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id
 15.20.218.12 via Frontend Transport; Fri, 10 Nov 2017 16:17:13 +0000
Received: from exch.xxxxxxxxxxx.local ([xx.xx.xx.xx]:53813 helo=mail.xxxxxxxxxxx.com)
    by asg.xxxxxxxxxxx.com with esmtps (TLSv1.2:AES256-SHA:256)
    (Exim 4.82_1-5b7a7c0-XX)
    (envelope-from <nkodak@xxxxxxxxxxx.com>)
    id 1eDBzQ-0007Yy-10
    for nathan@xxxxxxxxxxx.com; Fri, 10 Nov 2017 11:17:08 -0500
Received: from EXCH.xxxxxxxxxxx.local (10.10.10.24) by
 EXCH.xxxxxxxxxxx.local (xx.xx.xx.xx) with Microsoft SMTP Server
 (TLS) id 15.0.1210.3; Fri, 10 Nov 2017 11:17:08 -0500
Received: from EXCH.xxxxxxxxxxx.local ([::1]) by
 EXCH.xxxxxxxxxxx.local ([::1]) with mapi id 15.00.1210.000; Fri, 10
 Nov 2017 11:17:08 -0500
From: Nathan Kodak <nkodak@xxxxxxxxxxx.com>
To: "nathan@xxxxxxxxxxx.com" <nathan@xxxxxxxxxxx.com>
Subject: Test for SPX
Thread-Topic: Test for SPX
Thread-Index: AQHTWj9aKUk6Mn1WjEyfENqxDV2KuQ==
Date: Fri, 10 Nov 2017 16:17:07 +0000
Message-ID: <cc68eee5ae1d4e2c9c99a90228e3b147@EXCH.xxxxxxxxxx.local>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [xx.xx.xx.xx]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Return-Path: nkodak@xxxxxxxxxxxxxx.com

 

 



This thread was automatically locked due to age.
  • Hey, Nathan.

    In order to help, I would rather see the logs from the UTM side instead of the message header.

    Regards,

    Giovani

  • Hey  

    As  mentioned, please also provide the SMTP logs from your UTM.

    To ensure a valid test sample, make sure that you are utilizing a Bank Routing Number | Social Security Number generator tool online.
    Your test sample data may superficially look like the format, but the numbers themselves will have to pass certain checks to be valid and match CCL's.

    Also please note that each CCL has a certain quantity of matches that has to be met in order for the CCL to be triggered and for the policy actions to be taken.
    Please see below the screenshots I have taken on my UTM v9.5 to show you the quantities for your aforementioned CCL's.

    Regards,

    FloSupport | Community Support Engineer


    Florentino
    Director, Global Community & Digital Support

    Are you a Sophos Partner? | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the 'Verify Answer' button.
    The Award-winning Home of Sophos Support Videos! - Visit Sophos Techvids