This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Version 9.508 - report on experience

Version 9.508 is released:

https://community.sophos.com/products/unified-threat-management/b/utm-blog/posts/utm-up2date-9-508-released

Maybe we could collect some reports about problems or hopefully no problems. Maybe please tell us about the modules (Network, Web, WAF, Mail, WLAN..) you use if you successful updated to 9.508.

Best
Alex

P.S. With the production system, I'll wait a little bit ;-)



This thread was automatically locked due to age.
Parents
  • Regarding the new Mail encryption we got the following information from one recipients IT dept. where signed Mails get blocked from their Gateway:

    "nicht unsere SPAM-Firewalls blockieren diese Mails, sondern das dahinterliegende E-Mailverschlüsselungsgateway, welches die S/Mime Signatur als nicht RFC konform bemängelt und daher die Mails ablehnt."

    => Sophos´ encryption is not RFC conformal and thus blocked by their gateways

  • Christian Kirchner said:

     

    => Sophos´ encryption is not RFC conformal and thus blocked by their gateways

     

     

    Official or Sophos CA?

  • Sophos CA, certs (now SHA512) were recreated after the update. We did not create a new CA cert as this would break many things like ssl proxy etc.

     

    NDR from the external MTA looks like this:

    X-ASG-Debug-ID: 1520<removed>f0001-PIMyqA
    Received: from <removed> by <removed> with ESMTP id n3UkXHeBZrv8SwzT (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for <<removed>; Wed, 07 Mar 2018 10:18:59 +0100 (CET)
    X-Barracuda-Envelope-From: <removed>
    X-Barracuda-Effective-Source-IP: <removed>
    X-Barracuda-Apparent-Source-IP: <removed>
    X-CTCH-RefID: str=0001.0A0C0207.5A9FABF0.0349,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0
    From: "<removed>>
    To: "<removed>
    Subject: <removed>
    X-ASG-Orig-Subj: F<removed>
    Thread-Index: AdO18lbdXnyz7fldQ2+CJClq+1bY/g==
    Date: Wed, 7 Mar 2018 09:07:59 +0000
    Message-ID: <26c8089a06e249a5bc07ae9ed7f69e<removed>>
    Accept-Language: de-DE, en-US
    X-MS-Has-Attach: yes
    X-MS-TNEF-Correlator:
    x-ms-exchange-transport-fromentityheader: Hosted
    x-originating-ip: [fd30:dd2b:<removed>]
    MIME-Version: 1.0
    Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="----59E2778A23B1E9BEB26990735606E06C"
    X-Barracuda-Connect: <removed>
    X-Barracuda-Start-Time: 1520414339
    X-Barracuda-Encrypted: ECDHE-RSA-AES256-GCM-SHA384
    X-Barracuda-URL: https://m<removed>mark.cgi
    X-Barracuda-BRTS-Status: 1
    X-Virus-Scanned: by bsmtpd at <removed>
    X-Barracuda-Scan-Msg-Size: 21889
    X-Barracuda-Spam-Score: 0.00
    X-Barracuda-Spam-Status: No, SCORE=0.00 using global scores of TAG_LEVEL=2.0 QUARANTINE_LEVEL=2.0 KILL_LEVEL=3.0 tests=BSF_SC0_MISMATCH_TO, HTML_MESSAGE
    X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.3.48677
                Rule breakdown below
                pts rule name              description
                ---- ---------------------- --------------------------------------------------
                0.00 HTML_MESSAGE           BODY: HTML included in message
                0.00 BSF_SC0_MISMATCH_TO    Envelope rcpt doesn't match header

    This is an S/MIME signed message

Reply
  • Sophos CA, certs (now SHA512) were recreated after the update. We did not create a new CA cert as this would break many things like ssl proxy etc.

     

    NDR from the external MTA looks like this:

    X-ASG-Debug-ID: 1520<removed>f0001-PIMyqA
    Received: from <removed> by <removed> with ESMTP id n3UkXHeBZrv8SwzT (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for <<removed>; Wed, 07 Mar 2018 10:18:59 +0100 (CET)
    X-Barracuda-Envelope-From: <removed>
    X-Barracuda-Effective-Source-IP: <removed>
    X-Barracuda-Apparent-Source-IP: <removed>
    X-CTCH-RefID: str=0001.0A0C0207.5A9FABF0.0349,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0
    From: "<removed>>
    To: "<removed>
    Subject: <removed>
    X-ASG-Orig-Subj: F<removed>
    Thread-Index: AdO18lbdXnyz7fldQ2+CJClq+1bY/g==
    Date: Wed, 7 Mar 2018 09:07:59 +0000
    Message-ID: <26c8089a06e249a5bc07ae9ed7f69e<removed>>
    Accept-Language: de-DE, en-US
    X-MS-Has-Attach: yes
    X-MS-TNEF-Correlator:
    x-ms-exchange-transport-fromentityheader: Hosted
    x-originating-ip: [fd30:dd2b:<removed>]
    MIME-Version: 1.0
    Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="----59E2778A23B1E9BEB26990735606E06C"
    X-Barracuda-Connect: <removed>
    X-Barracuda-Start-Time: 1520414339
    X-Barracuda-Encrypted: ECDHE-RSA-AES256-GCM-SHA384
    X-Barracuda-URL: https://m<removed>mark.cgi
    X-Barracuda-BRTS-Status: 1
    X-Virus-Scanned: by bsmtpd at <removed>
    X-Barracuda-Scan-Msg-Size: 21889
    X-Barracuda-Spam-Score: 0.00
    X-Barracuda-Spam-Status: No, SCORE=0.00 using global scores of TAG_LEVEL=2.0 QUARANTINE_LEVEL=2.0 KILL_LEVEL=3.0 tests=BSF_SC0_MISMATCH_TO, HTML_MESSAGE
    X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.3.48677
                Rule breakdown below
                pts rule name              description
                ---- ---------------------- --------------------------------------------------
                0.00 HTML_MESSAGE           BODY: HTML included in message
                0.00 BSF_SC0_MISMATCH_TO    Envelope rcpt doesn't match header

    This is an S/MIME signed message

Children
  • KBA with workaround is updated.

    In case a third-party certificate with the new algorithms could not be fetched the old behaviour needs to be restored by using the old algorithms.
    For that logon via ssh to the commandline ( cli) , get root and execute the following command: cc set smtp encryption_utility smime
    After that the old algorithms are used again.
    At any point in time later on its possible to switch to the new algorithms by 
    logging on to the cli and entering: cc set smtp encryption_utility cms

     

    https://community.sophos.com/kb/en-us/131727

     

    __________________________________________________________________________________________________________________

  • Glad to hear, Sophos is listening and cares.

    manbearpig said:

    KBA with workaround is updated.

    In case a third-party certificate with the new algorithms could not be fetched the old behaviour needs to be restored by using the old algorithms.
    For that logon via ssh to the commandline ( cli) , get root and execute the following command: cc set smtp encryption_utility smime
    After that the old algorithms are used again.
    At any point in time later on its possible to switch to the new algorithms by 
    logging on to the cli and entering: cc set smtp encryption_utility cms

     

    https://community.sophos.com/kb/en-us/131727

     

    -