This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

TLS - Outbound TLS certificate presentation

Is it possible that outbound email messages secured by enforced TLS present the TLS certificate for verification? At the moment the certificate seems only to apply to incoming email.

Incoming:
2018-06-05T14:21:11.056403+01:00 <ext mail srv> sendmail[8463]: STARTTLS=client, relay=<our mail gw>, version=TLSv1.2, verify=OK, cipher=AES256-SHA256, bits=256/256

Outgoing:
[2018-06-05 13:49:40.165595 +0000] info s=<ext mail srv> mod=smtpsrv cmd=starttls tls_version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM -SHA384 cipher_bits=256 verify=NO



This thread was automatically locked due to age.
  • In which log are you seeing this?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • This log was provided by the counter part. They said, if we do not present a certificate in our outgoing email they'll have to lower security on their end to make TLS work.

  • Please show a picture of the 'TLS Settings' section of the 'Advanced' tab in 'SMTP'.  Also, paste here the SMTP log lines corresponding to the line above where they say TLS was not negotiated.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • TLS as such is successful. They don't say TLS was not negotiated, but that the TLS certificate is not presented. In the SMTP logs we cannot find anything in regards to certificate verification.

  •  
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • The Test Receiver is fine. The certificate is being validated:

    STARTTLS command works on this server
    Connection converted to SSL
    Certificate 1 of 3 in chain: Cert VALIDATED: ok
    Certificate 2 of 3 in chain: Cert VALIDATED: ok
    Certificate 3 of 3 in chain: Cert VALIDATED: ok
    TLS successfully started on this server

    The Test Sender is successful, however, does not seem to validate a certificate:

    The transcript of the eMail SMTP session is below, with:
    --> this is a line from your email system to us (~~> when encrypted)
    <-- this is a line to your email system from us (<~~ when encrypted)
    === this is a line about the tls negotiation (cypher, cert, etc)
    *** this is an error, warning, or info line that the test found

    <-- 220 ts6.checktls.com ESMTP TestSender Thu, 14 Jun 2018 02:27:30 -0400
    --> EHLO mx.domain.com
    <-- 250-ts6.checktls.com Hello  [IP], pleased to meet you
    <-- 250-ENHANCEDSTATUSCODES
    <-- 250-8BITMIME
    <-- 250-STARTTLS
    <-- 250 HELP
    --> STARTTLS
    <-- 220 Ready to start TLS
    ====tls negotiation successful (cypher: AES256-GCM-SHA384)
    client cert:
    Subject Name: undefined
    Issuer  Name: undefined
    ~~> EHLO mx.domain.com
    <~~ 250-ts6.checktls.com Hello  [IP], pleased to meet you
    <~~ 250-ENHANCEDSTATUSCODES
    <~~ 250-8BITMIME
    <~~ 250 HELP
    ~~> MAIL FROM:<sender@domain.com>
    <~~ 250 Ok - mail from sender@domain.com
    ~~> RCPT TO:<test@testsender.checktls.com>
    <~~ 250 Ok - recipient test@testsender.checktls.com
    ~~> DATA
    <~~ 354 Send data.  End with CRLF.CRLF
    .....
    <~~ 250 Ok
    ~~> QUIT
    <~~ 221 ts6.checktls.com closing connection

  • I hadn't noticed that.  Interestingly, the same happens for a mail account that I have that's hosted by Google.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I'm running into a similar issue with a customer of mine.  One of their vendors is requiring Certificate Verification on both ends for SMTP.  I don't actually see an option in the Sophos UTM to even enable or enforce this, and my experience with SMTP in general (not just sophos but mail servers) is that they do no Certificate Verification.  They use TLS and accept / negotiate the TLS connection without any verification.. And this allows you to even use self signed certs..

    So does the UTM actually have this ability?

  • Marv, please get a case open with Sophos Support.  When you get a case#, PM sachingurung with the # and a link to your post here.  I suspect that the customer is confused about this, but I would rather have a formal statement from Sophos.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA