Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

POPS-IMAPS scanning - Strange, non ASCII character added in certificate.


I have set up email scanning according to this guide:

I have found that the certificate used by the firewall to decrypt the mail traffic contains empty fields and non ASCII character. Note: "domain.local" is just replaced values from the "correct values".




This (four last rows) is automatically added (to the certificate - presented from firewall) when you "enable" scanning for IMAPS and/or POPS in the firewall rule.

If you disable scanning for IMAPS in the firewall rule, these values ​​will be removed. The certificate then only shows the correct sub alt. names (presented from the mail server).


The certificate selected for POP and IMAP TLS configuration is the CA certificate for the mail server.
Below you see an example of where it is activated in the configuration.

Now to my questions,

- Why does it behave this way?

- How do I configure the firewall, so that these strange characters are not added to the certificate when scanning IMAPS and POPS?

- Is there something that I have configured wrongly?


Forgot to write how the result was presented. I ran into some issues with some email clients not accepting the certificate. I then used OpenSSL to get feedback from the connection.

openssl s_client -showcerts -connect domain.local:993 | openssl x509 -text -noout


This thread was automatically locked due to age.
Parents Reply
  • Thank you for your reply. It was a bit sad to hear. The whole point for me is to be able to properly test the product at home. Thinks that Sophos should also benefit from what a home user finds. A likely guess is that it can also be of great help to those who have the product in production. Just a thought.

    Greetings, Triune.

No Data