Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SMTP Email Scanning KB configuration article

I am trying to use this article to configure SMTP scanning and am having numerous issues following the prescribed steps. These range from not being able to select the added mail server CA (which has been mentioned elsewhere in this forum) and compulsory fields not being completed.


I have added the CA correctly, it appears in the list alphabetically as trusted alongside many others. I have uploaded the individual server certificates as well.


Is it a current/ relevant document?



This thread was automatically locked due to age.
Parents
  • Hi Daniel,

    Greetings.

    I will make it simple for you to configure your requirements.

    Step 1: Add third party/external CA

    Prerequisite:

    You should have the root or CA Certificate in .pem or .der format. This Certificate is provided by the CA in response to your Certificate Signing Request (CSR). To know how to generate a CSR, refer to article Generate Certificate Signing Request (CSR).

    Configurations:

    Go to Objects > Identity > Certificate Authority and click Add to add external CA.

    Step 2: Configure SMTPS Scanning

    Go to Protection > Email Protection > Configuration and select the external CA (added in Step 1) from the list of available CAs in SMTP TLS Configuration section.

     

    Step 3: Add the SMTPS scanning policy.

    Go to Policies and click +Add Firewall Rule. Select Business Application Rule to create a policy. Add a new rule using Email Servers (SMTP) Application template as shown in the below image.

    Let me know if that helps :)

    Appreciate you interest with Sophos.

    Thanks

    Sachin

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • Hello

    I'm also stuck with that document. I all have external mail accounts (for example gmail.com and others from domains I use for websites). They are hosted at gmail or on the different website servers/hosters. I don't have certificates of any of these sites. What I have is a certificate for the Sophos xg registered to one of the mentioned website servers. So what do I have to do about the certificates, which one do I have to use?

    Sending/receiving mails from iPad for example keeps telling me that there are untrustworthy certificates for example from gmail. By clicking continue I can send/receive the mails. What can I do against that? Installing the Sophos appliance certificate onto my devices?

    In this document there are two rules mentioned. I can setup one, but since I don't have an internal mail or smtp server, what do I do with that one.

    Thanks

    Roger

  • Roger,

    if you are trying to scan IMAP/POP3 traffic, make sure you create a BAR where template is Email Client and enable IMAP and POP3. In this way you do not need to import certificate on your computer.

    If you choose IMAPS/POP3S/SMTPS, you need to import the XG certificate on your pc.

Reply
  • Roger,

    if you are trying to scan IMAP/POP3 traffic, make sure you create a BAR where template is Email Client and enable IMAP and POP3. In this way you do not need to import certificate on your computer.

    If you choose IMAPS/POP3S/SMTPS, you need to import the XG certificate on your pc.

Children
  • I finally set this up. I created a Business rule to scan imaps and smtps, according to the reporting the rule must be correct. But I have trouble with the internal certificate. I installed the Sophos software onto my Windows computers and the iPads. I then also downloaded the certificate from the Sophos XG and installed it into the browsers. It seems to me that the certificates have an acceptance problem.

    My mail accounts return a message telling me that the server identity for example from gmail could not be verified. Also other mail accounts tell me the same thing. I can accept the server, but a couple minutes later the same message comes back.

    Also inside the browsers, there is the same problem. For example the google chrome browser refuses the Sophos certificate totally, no chance to use the browser.

    Am I doing something wrong? HTTPS scanning as well as decrypted mails are standard now a days and I really would like to use it.

    Can someone advice?

    Thanks

    Roger