Sophos Email customers using IP-based mailflow rule connectors must migrate to certificate-based configuration by March 31st. To see if you're affected Click Here.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Secure Message? Where is it?

Up until recently we used the old Sophos Email Appliance, and were able to add a keyword to the subject line to force SPX encryption (where it would encrypt as a PDF with a password).  

I'm having a hard time trying to replicate this now that we've moved to Sophos Email in Sophos Central.  I would really like to utilize the Portal Encryption, but I don't see that option anywhere in Sophos Central.  Is this a separate licensed product?  I can't find much information about it.  

I also am having a hard time understanding the settings in the "Base Policy - Secure Message" area.  Currently for outbound settings we have it set to Secure using TLS, Prefer TLS 1.3, and also "Allow unencrypted delivery".  This was checked by default, even though it says "not recommended".  In the logs, 90% of our outgoing emails say "Secure message", and the other 10% say "Legitimate".  If I turn off "Allow unencrypted delivery", will those messages fail?  I'm unsure really what the difference is here.



This thread was automatically locked due to age.
  • Our clients communicate with Governments and international companies and all support TLS1.2

    This isn’t a Sophos issue. If you need to transmit insecure email, change the settings accordingly to allow insecure email.

  • we used sophos sg/utm in the past for years and never had any issues with tls 1.2 and these domains. now with sophos central email the issues showed up with a few certain domains. even when using the option "require tls 1.2" its not working! using the option allow unencrypted is the only way at the moment to get emails out for these certains domains. hence there needs something to get fixed. Because i dont understand, why our former sg system, or any other mail system e.g. M365 works without any issues.

    And dont worry, we have a separate email encryption system, where confidential data gets encrypted if necessary, before sending out.

  • in my opinion it is definitely a sophos issue, because there are too many domains affected in the meantime where this happens.

    even  me.com  domain has problems, our would you say apple is not able setting up their email servers accordingly?

    Aug 9 15:46:51 Queue: 4RLWYz2q0tz1Lkg: to=<xxxxx@me.com>, relay=relay-eu-central-1.prod.hydra.sophos.com[52.28.110.24]:25, delay=4, delays=0.01/0/0.2/3.8, dsn=5.0.0, status=bounced (host relay-eu-central-1.prod.hydra.sophos.com[52.28.110.24] said: 550 XGEMAIL_0006 Command rejected : Preferred TLS 1.3 (in reply to RCPT TO command))

    maybe you are not experiencing those issues, because you are using us or other sophos servers. But with eu central servers there are definitely problems. 

  • Peter, thanks for the information. One of the enhancements we are working on in our Message History logs is to expose to the admin what level of TLS was attempted and used in message delivery and attempts. I wonder and will investigate if it is actually not the version of TLS affected but the ciphers used that are causing some of the issues. 

    The 550 XGEMAIL_0006 means - Returned when the message is rejected because the TLS version used did not match the version configured in customer policy. 

    Let me have the team look at the message, if you already have a support ticket open please forward the ticket number to me at tom[.]foucha[@]sophos[.]com if you do not have one open please do so it makes tracking it simpler.

  • thank you very much, email is on the way.

    the extended history log of the TLS Version is urgently needed. glad to hear you are working on it.

    btw. when using the verify certificate option, errors are raising and we even have problems sending emails to sophos.com:

    Aug 9 17:04:05 Queue: 4RLYH83lXzz1Lkg: to=<support@sophos.com>, relay=relay-eu-central-1.prod.hydra.sophos.com[3.120.51.105]:25, delay=1.4, delays=0.02/0/0.2/1.2, dsn=5.0.0, status=bounced (host relay-eu-central-1.prod.hydra.sophos.com[3.120.51.105] said: 550 XGEMAIL_0006 Command rejected : Preferred TLS 1.3 (in reply to RCPT TO command))

    In the meantime we have round about 60 domains affected, which need to be excluded from the main  Prefrerred TLS 1.3 Policy with enabled allow unsecure option, containing, as already mentioned, domains of big governments, institutions, universities etc, hence i cant and i wont believe its a configuration issue on the recipient side.