3CX DLL-Sideloading attack: What you need to know
i have a problem to get TLS for email smarthost on port TCP 587 working.We have to deliver emails to our service provider on tcp port 587 using tls and a special created certificate from an internal pki.
The certificate was created and imported and set up to be used as TLS-certificate under email - general settings - smtp-tls-configuration.
After that we changed the port for the smarthost from 25 to 587 and saved the settings.
With this setup, emails can not be delivered to the smarthost. They are stuck in the spooler. In SMTP spool the error message is:
2023-01-24 09:22:20.544Z  tPQkZM-CZ7HkV-y8 H=smarthost.dns.de [10.x.x.x]:587: Remote host closed connection in response to EHLO smtphostname.xg.de
(the information was anonymized)
I have contacted the administrator team of the smarthost and they said, that the XG doesnt present a certificate. The error message in their logs are:
> TLS certificate was requested but not provided> TLS failed: TLS certificate is required but client did not provide it
Important: i know i can force the use of TLS under the "SMTP TLS configuration" section
but this is not working in my case because only outbound emails to the smarthost supporting TLS at the moment.The same relay is forwarding inbound emails to us and this way doesnt support TLS at the moment. Using the net range of the smarthost in "require TLS negotiation" would cause inbound connections from them forcing tls which is not supported yet.
Have i missed something, or is the XG not able to force TLS to the smarthost on port 587?@Sophos: Why there is not possibility to configure "force tls when using smarthost"? It is a common feature. And no - migrating to sophos central email is not an option for me (due to restrictions from the LSI).
We use SFOS v19.0.1 MR1 on XG550 Active-Passive Cluster
Hello Nafets ,Thank you for reaching out to the community, This may be limitation, we may not be able to use Port 587 [SMTPS] for smart host.
We can use Default SMTP Port 25.
Thanks & Regards,_______________________________________________________________
Vivek Jagad | Team Lead, Global Support & Services
Sophos Community | Product Documentation | Sophos Techvids | SMSIf a post solves your question please use the 'Verify Answer' button.
thanks for your feedback. It makes absolutely no sense for me that sending via tcp 587 and TLS is not supported for smarthost. Absolutely no sense...And why this isn't mentioned anywhere? Why the Sophos Support member want to "get a timeframe" to check the configuration I made although he should know that this isnt possible?
btw: Even Sophos UTM can send via Port 587 with TLS via smarthost.
Do i have to replace now all sophos xg firewalls buyed 1 year ago due to incompatibility with SMARTHOST SETTINGS for my service provider because XG only supports native unencrypted smtp over port 25? Is starttls supported for port 25 via smarthost?
Hey Nafets ,Yes STARRLS is supported for Port 25 Do you have a service request open ? If yes it would be great if you can share. We would like to get it validated through our senior team and get it expedite the process for you.
I sent you a PM
Hi Nafets ,
Good day and hope you're well.
Apologies to hear this unfortunate experience you bumped into. Would you be so kind to share with us the caseID via DM so we can track along progress internally.
Many thanks for your time and patience and thank you for choosing Sophos
Raphael AlganesCommunity Support Engineer | Sophos Technical SupportSophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS AlertsIf a post solves your question use the 'Verify Answer' link.
Hey Stefan, Thank you, I have already updated our internal team with the case id we will get back to you once we have an update from our senior team.