Sophos Email customers using IP-based mailflow rule connectors must migrate to certificate-based configuration by March 31st. To see if you're affected Click Here.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Central E-Mail - S/MIME signed emails are getting invalid

Hey Folks,

we are evaluating Sophos Central E-Mail and experiencing issues with incoming S/MIME signed e-Mails. The Signature is getting invalid, and our security appliance cannot validate the signature/certificate anymore. E-Mails not routet via E-Mail Central from same sender, dont have any issues.

We already created an exception in data control (forward incoming signed e-mails to new gateway) which always applies successfully, but there is still something happening or getting changed on the email.

Are there any issues known with signed e-mails? Or what else can we do?

Thx a lot in advance.

Regards

Peter



This thread was automatically locked due to age.
  • Hello Peter,

    Thank you for contacting the Sophos Community.

    Have you reached out to your Sales Engineer about this? Usually, they’ll assist you during the testing/implementation phase or PoC.

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • yes we did, but nevertheless we ordered the licenses now and i think it doesnt matter if its an evaluation or live use case.

    there was a known issue XGE-15978 but there is no update found if this problem is solved now

  • Did you get any new information on this?

    We got the same problem with Sophos Central E-Mail.

    Regards

    Simon

  • not really, turning circles with support for almost 4 weeks now.

    do you use smartbanners? we have the problem, some signed emails are getting applied with smarbanner, hence signature invalid, some emails are not and the signature is valid. (same sender) other senders, do always have an invalid signature e.g. dhl shipping notifications. we also tried to disable the smartbanner feature, but this doesnt change everything.

    imho, there are problems with the recognition of signed emails in sophos backend

  • Same problem at our end with enabled Smart Banners and Time-of-Click Protection. Will probably always be the case as soon as Sophos changes anything in the content of the email. It could be possible that the last mile to the email client has to be re-signed. Just like the firewall does with SSL connections.

  • Time-Of-Click Protection is a good point, as well. Didnt thought about that.

    nevertheless, i dont get it why there are some emails which are valid and neither smartbanners and TOC-Protection are applied, and others not. Sophos just needs to apply a rule in the backend, that signed emails will never get touched and stay unchanged. i dont want to create an exception again for senders which send signed emails.

  • there is an option for disabling the rewriting - totally overseen this:

    There should be an additional info that securely signed messages will get altered and getting an invalid signature.

    This Option should be available for SmartBanners too.

  • Hi,

    we have the same problem with smart banners and Time-of-Click Protection enabled...

    Peter

  • There is no option for smartbanners at the moment. You have to disable them completely if you want to get rid of invalid signed emails.
    For TOC there is an option available.

    GES told us TODAY, after turning circles for month with support, there is a feature request open:

    Feature Request ID : CEMA-I-225
    Description of the Feature Request:
    When an incoming email is S/MIME signed and a banner from the email security end-user message is added then the signature is broken. Partner would like to be able to filter S/MIME signed message to apply to a policy without banners without disabling banners from the policy so it can apply for other emails

    We could have saved so much time, if someone told us earlier. instead, a lot of samples, testing, support sessions etc....  :-(

    But i still dont understand, why some signed mails dont get the smart banners and signature is still valid, and others are getting invalid.

  • We have the same problem. Any news about the feature request?