Force XG to send emails to Smarthost using TLS on Port 587

Hello Community,

i have a problem to get TLS for email smarthost on port TCP 587 working.
We have to deliver emails to our service provider on tcp port 587 using tls and a special created certificate from an internal pki.

The certificate was created and imported and set up to be used as TLS-certificate under email - general settings - smtp-tls-configuration.


After that we changed the port for the smarthost from 25 to 587 and saved the settings.

With this setup, emails can not be delivered to the smarthost. They are stuck in the spooler. In SMTP spool the error message is:

2023-01-24 09:22:20.544Z [16924] tPQkZM-CZ7HkV-y8 H=smarthost.dns.de [10.x.x.x]:587: Remote host closed connection in response to EHLO smtphostname.xg.de

(the information was anonymized)

I have contacted the administrator team of the smarthost and they said, that the XG doesnt present a certificate. The error message in their logs are:

> TLS certificate was requested but not provided
> TLS failed: TLS certificate is required but client did not provide it

Important: i know i can force the use of TLS under the "SMTP TLS configuration" section

but this is not working in my case because only outbound emails to the smarthost supporting TLS at the moment.
The same relay is forwarding inbound emails to us and this way doesnt support TLS at the moment. Using the net range of the smarthost in "require TLS negotiation" would cause inbound connections from them forcing tls which is not supported yet.

Have i missed something, or is the XG not able to force TLS to the smarthost on port 587?
@Sophos: Why there is not possibility to configure "force tls when using smarthost"? It is a common feature. And no - migrating to sophos central email is not an option for me (due to restrictions from the LSI).

Kind regards,
Stefan

We use SFOS v19.0.1 MR1 on XG550 Active-Passive Cluster



Edited TAGs
[edited by: emmosophos at 7:20 PM (GMT -8) on 25 Jan 2023]
Parents Reply Children
No Data