Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 9 replies
  • Subscribers 3 subscribers
  • Views 11372 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

TLS - Outbound TLS certificate presentation

P L

Is it possible that outbound email messages secured by enforced TLS present the TLS certificate for verification? At the moment the certificate seems only to apply to incoming email.

Incoming:
2018-06-05T14:21:11.056403+01:00 <ext mail srv> sendmail[8463]: STARTTLS=client, relay=<our mail gw>, version=TLSv1.2, verify=OK, cipher=AES256-SHA256, bits=256/256

Outgoing:
[2018-06-05 13:49:40.165595 +0000] info s=<ext mail srv> mod=smtpsrv cmd=starttls tls_version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM -SHA384 cipher_bits=256 verify=NO



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to BAlfson

    The Test Receiver is fine. The certificate is being validated:

    STARTTLS command works on this server
    Connection converted to SSL
    Certificate 1 of 3 in chain: Cert VALIDATED: ok
    Certificate 2 of 3 in chain: Cert VALIDATED: ok
    Certificate 3 of 3 in chain: Cert VALIDATED: ok
    TLS successfully started on this server

    The Test Sender is successful, however, does not seem to validate a certificate:

    The transcript of the eMail SMTP session is below, with:
    --> this is a line from your email system to us (~~> when encrypted)
    <-- this is a line to your email system from us (<~~ when encrypted)
    === this is a line about the tls negotiation (cypher, cert, etc)
    *** this is an error, warning, or info line that the test found

    <-- 220 ts6.checktls.com ESMTP TestSender Thu, 14 Jun 2018 02:27:30 -0400
    --> EHLO mx.domain.com
    <-- 250-ts6.checktls.com Hello  [IP], pleased to meet you
    <-- 250-ENHANCEDSTATUSCODES
    <-- 250-8BITMIME
    <-- 250-STARTTLS
    <-- 250 HELP
    --> STARTTLS
    <-- 220 Ready to start TLS
    ====tls negotiation successful (cypher: AES256-GCM-SHA384)
    client cert:
    Subject Name: undefined
    Issuer  Name: undefined
    ~~> EHLO mx.domain.com
    <~~ 250-ts6.checktls.com Hello  [IP], pleased to meet you
    <~~ 250-ENHANCEDSTATUSCODES
    <~~ 250-8BITMIME
    <~~ 250 HELP
    ~~> MAIL FROM:<sender@domain.com>
    <~~ 250 Ok - mail from sender@domain.com
    ~~> RCPT TO:<test@testsender.checktls.com>
    <~~ 250 Ok - recipient test@testsender.checktls.com
    ~~> DATA
    <~~ 354 Send data.  End with CRLF.CRLF
    .....
    <~~ 250 Ok
    ~~> QUIT
    <~~ 221 ts6.checktls.com closing connection

  • 0 in reply to P L

    I hadn't noticed that.  Interestingly, the same happens for a mail account that I have that's hosted by Google.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML