TLS Certificate in MTA Mode

Hi all,

   Does anyone have a decent walk-through explaining how to get a server cert onto an XG? I'm in MTA mode but using the appliance CA. I have a GoDaddy cert for my 2016 exchange server and I'm assuming that can be imported somehow, maybe. I see this message on the SMTP TLS config screen 'While in MTA Mode, it is recommended to use Server Certificate instead of CA Certificate"

Do I need to convert my GoDaddy cert to a specific format and if so, how? I've messed around with it before and didn't get anywhere.




  • Hey Gary Krinner,

    Please take a look at the following KB article below:

    Sophos Firewall: How to enable secure SMTP email communication using certificate authorities


    FloSupport | Community Support Engineer

  • In reply to FloSupport:


    I tried to configure geotrust and rapidssl certificates in the SMTP TLS Configuration.

    Same results for all.

    When i try to verify i get the same error on checktls web page or others.

    Certificate 1 of 1 in chain: Cert VALIDATION ERROR(S): unable to get local issuer certificate; unable to verify the first certificate

    CA Root and Intermediate CA installed too.

    Published mail web server works without issues.

    Firmware SFOS 17.5.7 MR-7

    Any ideas ?

  • In reply to Joan Miquel Gurdo:

    Sorry, I have none. I gave up on this a while ago. 

  • In reply to Gary K:

    Solved !!!
    Only If needed
    Import the certificates to a Windows machine
    Intermediate CA
    And domain certificate with the KEY
    Export the certificate (check box the complete certificate  chain) from Windows with pfx format.
    With OpenSSL convert it to PEM.
    Open the PEM with text editor and separate the key to a new file .key leave the rest of the certificates intact or add at the end of the file the Intermediate CA and Root CA
    Your PEM certificate now contains all the certificate chain.
    Import the certificate in Sophos and use this for SMTP SSL.
    Et Voila !!