Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 39 subscribers
  • Views 4105 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Force XG to send emails to Smarthost using TLS on Port 587

Nafets

Hello Community,

i have a problem to get TLS for email smarthost on port TCP 587 working.
We have to deliver emails to our service provider on tcp port 587 using tls and a special created certificate from an internal pki.

The certificate was created and imported and set up to be used as TLS-certificate under email - general settings - smtp-tls-configuration.


After that we changed the port for the smarthost from 25 to 587 and saved the settings.

With this setup, emails can not be delivered to the smarthost. They are stuck in the spooler. In SMTP spool the error message is:

2023-01-24 09:22:20.544Z [16924] tPQkZM-CZ7HkV-y8 H=smarthost.dns.de [10.x.x.x]:587: Remote host closed connection in response to EHLO smtphostname.xg.de

(the information was anonymized)

I have contacted the administrator team of the smarthost and they said, that the XG doesnt present a certificate. The error message in their logs are:

> TLS certificate was requested but not provided
> TLS failed: TLS certificate is required but client did not provide it

Important: i know i can force the use of TLS under the "SMTP TLS configuration" section

but this is not working in my case because only outbound emails to the smarthost supporting TLS at the moment.
The same relay is forwarding inbound emails to us and this way doesnt support TLS at the moment. Using the net range of the smarthost in "require TLS negotiation" would cause inbound connections from them forcing tls which is not supported yet.

Have i missed something, or is the XG not able to force TLS to the smarthost on port 587?
@Sophos: Why there is not possibility to configure "force tls when using smarthost"? It is a common feature. And no - migrating to sophos central email is not an option for me (due to restrictions from the LSI).

Kind regards,
Stefan

We use SFOS v19.0.1 MR1 on XG550 Active-Passive Cluster



This thread was automatically locked due to age.
Parents
  • +1

    Hey Community,

    meanwhile there is an update about this.
    Sophos Support said it is not expected that a TLS certificate is used for smarthost connection but there is a workaround to achieve this:

    Sending a certificate can be configured manually in /static/proxy/smtp/exim.conf. Path of certificate an private key should be added to configuration of smarthost_smtp transport. For example, if certificate and key have been uploaded as smarthostcert then these lines should be added to smarthost_smtp (starting at line ~895):

    tls_certificate = /conf/certificate/smarthostcert.pem

    tls_privatekey = /conf/certificate/private/smarthostcert.key

    If certificate and key are uploaded in a single file then only the tls_certificate line should be added.

    Configuration should be reloaded:

    service -ds nosync smtpd:reload

    An upgrade overwrites the config file, so after an upgrade config file should be edited again.

    I have tested it an it worked.
    So there is a light at the end of the dark long tunnel. A feature request has been opened and it maybe will be implemented in a future release.

    Maybe this will help a few people trying to achieve something "normal" in 2023... sending emails to a smarthost in a secure (tls encrypted) way with a security device like Sophos XG... :-)

     

    Greetings,
    Stefan



    Added indentation
    [bearbeitet von: Nafets um 5:51 AM (GMT -7) am 17 Apr 2023]
Reply
  • +1

    Hey Community,

    meanwhile there is an update about this.
    Sophos Support said it is not expected that a TLS certificate is used for smarthost connection but there is a workaround to achieve this:

    Sending a certificate can be configured manually in /static/proxy/smtp/exim.conf. Path of certificate an private key should be added to configuration of smarthost_smtp transport. For example, if certificate and key have been uploaded as smarthostcert then these lines should be added to smarthost_smtp (starting at line ~895):

    tls_certificate = /conf/certificate/smarthostcert.pem

    tls_privatekey = /conf/certificate/private/smarthostcert.key

    If certificate and key are uploaded in a single file then only the tls_certificate line should be added.

    Configuration should be reloaded:

    service -ds nosync smtpd:reload

    An upgrade overwrites the config file, so after an upgrade config file should be edited again.

    I have tested it an it worked.
    So there is a light at the end of the dark long tunnel. A feature request has been opened and it maybe will be implemented in a future release.

    Maybe this will help a few people trying to achieve something "normal" in 2023... sending emails to a smarthost in a secure (tls encrypted) way with a security device like Sophos XG... :-)

     

    Greetings,
    Stefan



    Added indentation
    [bearbeitet von: Nafets um 5:51 AM (GMT -7) am 17 Apr 2023]
Children
No Data
Unfiltered HTML