Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 39 subscribers
  • Views 4022 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Force XG to send emails to Smarthost using TLS on Port 587

Nafets

Hello Community,

i have a problem to get TLS for email smarthost on port TCP 587 working.
We have to deliver emails to our service provider on tcp port 587 using tls and a special created certificate from an internal pki.

The certificate was created and imported and set up to be used as TLS-certificate under email - general settings - smtp-tls-configuration.


After that we changed the port for the smarthost from 25 to 587 and saved the settings.

With this setup, emails can not be delivered to the smarthost. They are stuck in the spooler. In SMTP spool the error message is:

2023-01-24 09:22:20.544Z [16924] tPQkZM-CZ7HkV-y8 H=smarthost.dns.de [10.x.x.x]:587: Remote host closed connection in response to EHLO smtphostname.xg.de

(the information was anonymized)

I have contacted the administrator team of the smarthost and they said, that the XG doesnt present a certificate. The error message in their logs are:

> TLS certificate was requested but not provided
> TLS failed: TLS certificate is required but client did not provide it

Important: i know i can force the use of TLS under the "SMTP TLS configuration" section

but this is not working in my case because only outbound emails to the smarthost supporting TLS at the moment.
The same relay is forwarding inbound emails to us and this way doesnt support TLS at the moment. Using the net range of the smarthost in "require TLS negotiation" would cause inbound connections from them forcing tls which is not supported yet.

Have i missed something, or is the XG not able to force TLS to the smarthost on port 587?
@Sophos: Why there is not possibility to configure "force tls when using smarthost"? It is a common feature. And no - migrating to sophos central email is not an option for me (due to restrictions from the LSI).

Kind regards,
Stefan

We use SFOS v19.0.1 MR1 on XG550 Active-Passive Cluster



This thread was automatically locked due to age.
  • 0

    Hello  ,

    Thank you for reaching out to the community, This may be limitation, we may not be able to use Port 587 [SMTPS] for smart host. 

    We can use Default SMTP Port 25.


    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 

    Log a Support Case | Sophos Service Guide
    Best Practices – Support Case


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Vivek Jagad

    Hello Vivek,

    thanks for your feedback. It makes absolutely no sense for me that sending via tcp 587 and TLS is not supported for smarthost. Absolutely no sense...
    And why this isn't mentioned anywhere? Why the Sophos Support member want to "get a timeframe" to check the configuration I made although he should know that this isnt possible?

    btw: Even Sophos UTM can send via Port 587 with TLS via smarthost.

    Do i have to replace now all sophos xg firewalls buyed 1 year ago due to incompatibility with SMARTHOST SETTINGS for my service provider because XG only supports native unencrypted smtp over port 25? Is starttls supported for port 25 via smarthost?

    Kind regards,

    Nafets

  • 0 in reply to Nafets

    Hey  ,

    Yes STARRLS is supported for Port 25 
    Do you have a service request open ? If yes it would be great if you can share. We would like to get it validated through our senior team and get it expedite the process for you. 

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 

    Log a Support Case | Sophos Service Guide
    Best Practices – Support Case


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Nafets

    Hi ,

    Good day and hope you're well.

    Apologies to hear this unfortunate experience you bumped into. Would you be so kind to share with us the caseID via DM so we can track along progress internally. 

    Many thanks for your time and patience and thank you for choosing Sophos

    Cheers,

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • 0 in reply to Nafets

    Hey Stefan, 

    Thank you, I have already updated our internal team with the case id we will get back to you once we have an update from our senior team. 

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 

    Log a Support Case | Sophos Service Guide
    Best Practices – Support Case


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • +1

    Hey Community,

    meanwhile there is an update about this.
    Sophos Support said it is not expected that a TLS certificate is used for smarthost connection but there is a workaround to achieve this:

    Sending a certificate can be configured manually in /static/proxy/smtp/exim.conf. Path of certificate an private key should be added to configuration of smarthost_smtp transport. For example, if certificate and key have been uploaded as smarthostcert then these lines should be added to smarthost_smtp (starting at line ~895):

    tls_certificate = /conf/certificate/smarthostcert.pem

    tls_privatekey = /conf/certificate/private/smarthostcert.key

    If certificate and key are uploaded in a single file then only the tls_certificate line should be added.

    Configuration should be reloaded:

    service -ds nosync smtpd:reload

    An upgrade overwrites the config file, so after an upgrade config file should be edited again.

    I have tested it an it worked.
    So there is a light at the end of the dark long tunnel. A feature request has been opened and it maybe will be implemented in a future release.

    Maybe this will help a few people trying to achieve something "normal" in 2023... sending emails to a smarthost in a secure (tls encrypted) way with a security device like Sophos XG... :-)

     

    Greetings,
    Stefan



    Added indentation
    [bearbeitet von: Nafets um 5:51 AM (GMT -7) am 17 Apr 2023]
Unfiltered HTML