This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Version 9.508 - report on experience

Version 9.508 is released:

https://community.sophos.com/products/unified-threat-management/b/utm-blog/posts/utm-up2date-9-508-released

Maybe we could collect some reports about problems or hopefully no problems. Maybe please tell us about the modules (Network, Web, WAF, Mail, WLAN..) you use if you successful updated to 9.508.

Best
Alex

P.S. With the production system, I'll wait a little bit ;-)



This thread was automatically locked due to age.
Parents
  • Since 9,508 the digital signature is considered invalid for emails. However, I don't know if this is an error in email-encrption.

    PS: outgoing Emails...

  • Thorsten, if you follow the KB article that MBP posted above, deleting and regenerating your S/MIME cert on the 'Internal Users' tab of 'Encryption', does this error still appear after you've sent a signed or encrypted email?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • It doesn't matter which email client (Thunderbird, Outlook...) I had already completely reset the CA and re-configured the certificates. The error still exists. I have a SMTP dump for analysis. I'm still waiting for an answer from the support.

  • Unfortunately I can confirm, that a even with a V9.508 CA created and signed message will lead to an error at the recipient site.

     

    Markus

  • What error does the recipient see, Markus - a picture, maybe?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • If the recipient uses f.e. thunderbird he will get:

     

     

    Some recipient bounce our mails and return: the digital signature is invalid.

     

    To be clear: email encryption does not work for us since updating to V9.508!  That's awful. We have about 450 email encryption users an use sophos generated certificates.

    On a 2nd utm whith V9.508 I tested to reset email encryption, created a new ca and created a new user. -> Same error.

     

    In my opinion the statement in kb 131727 is wrong:  "Note: You do not have to regenerate the certs to get S/MIME working. The new engine will work fine without deleting and regenerating certificates. Correcting the SHA1 vulnerability requires certificate regeneration, which will require the users to be deleted and re-added"

     

    Markus

     

     

  • I have revoked my S/Mime and applied again with stonger key. Then I set it up in the email encryption. The error still exists. The signature is invalid for the recipient. I´m still waiting for an answer from the support.

Reply Children
  • Hi Thorsten,

    same here on our UTM, we did recreate most users, outgoing signed messages still get bounced. On one user i saw that the certificate was not recreated, i had to delete the user stop/start encryption, regenerate the user so a new cert was created.

    Any news from Sophos support?

    best regards / Viele Grüße,

    Christian

  • I did some more tests to see if umlauts or special characters are causing the problem. Furthermore I have made various settings like deactivating the scan of outgoing emails and so on. But the problem could not be solved in this way. I'm still waiting for a response from support.

  • Hi Thorsten,

    we also checked for umlauts etc. - does not seem to be the problem.

    Some external partners notified us that they maybe had stored old certificates from our users which may cause this problem. E.g. Barracuda Antispam solutions also seem to store certificate information. They deleted the old ones, we are testing at the moment.

    We contacted Sophos support but did not get any help on this bug, we were told to contact our reseller on this...

    Best regards

    Christian

  • Hi Christian,

    we do have the same error and this is quite a pain in the ass. We also use Comodo certificates as Thomas does. 

    As you have said that reaching the support didn't help you, do you have any idea how we can solve this?

     

    Kind regards,

    Max

  • Answer from Sophos Support: One solution would be to update the sender and recipient to version 9.508.

    The only trouble is that not everyone has a UTM...

  • And that's it? So forget about S/MIME functionality from now on?
    What I didn't understand is the message of https://community.sophos.com/kb/en-us/131727 

    As stated in 3, one should get certificates with the appropriate algorithm. Does anybody know how to check which algorithm was used in an existing certificate? So should I ask the CA to re-issue my certificate and everything is fine?

    Best
    Alex

    P.S. I placed the question for the Algorithms for X.509 certs at a reseller for certificates. Will see what they say.

    -

  • Alexander Busch said:

    So should I ask the CA to re-issue my certificate and everything is fine?

    Best
    Alex

     

     

    That's not gonna work. I had revoked my certificates and set them up again without success.

  • Guys, it's not clear to me that you're attacking the right certificate.  This is not the one in 'Certificate Management'.  I think you have to delete your entry on the 'Internal Users' tab of 'Encryption', add it again and then send the new PEM to your recipient(s).

    I can confirm that 9.508-to-9.508 works when this is done.

    Please let us know if the non-UTM recipients can receive your email after adding your new cert as described.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • BAlfson said:

    ...

    I can confirm that 9.508-to-9.508 works when this is done.

    Please let us know if the non-UTM recipients can receive your email after adding your new cert as described.

    ..

    Hello Bob, 

    is the simple signing of an email working? Non UTM Device at the recipient side.

    Best
    Alex

    -

  • Alexander Busch said:

    As stated in 3, one should get certificates with the appropriate algorithm. Does anybody know how to check which algorithm was used in an existing certificate? So should I ask the CA to re-issue my certificate and everything is fine?

     

    Sure...

    openssl x509 -in YOURSMIMECERT.CER -text |grep "Signature A"