This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Different TLS settings for different mail domains?

We have two mail domains running on our UTM (9.510-5). We have DKIM and SPF entries for both domains. The first domain for which the SSL cert was issued is just fine, TLS set for 1.2 only in the advanced settings. Checked with an external SSL/TLS tool, only TLS1.2 is active.

But if I check the mx entry for the other domain (No profile mode, both domains share the same settings), the external SSL/TLS check says that the mail server for this domain supports SSL_RSA_WITH_RC4_128_SHA and TLS from 1.0 to 1.2, so it uses weak ciphers.

How is that possible? The tool says that both domains are using the same IP ergo the same UTM with the same settings for both domains is in use. I've removed the second domain, saved that and re-added, but no change. The exim.conf has only one section for TLS settings, there's no separation for different domains.

A first guess was the missing name of the second domain in the SSL cert. This is a three-year-cert and when it was issued the second domain was not in place, it came into game at a later date. So there is no SAN or alternate name included.



This thread was automatically locked due to age.
  • I guess I'm not understanding what you did, but it seems odd that he same IP would appear differently.  Maybe show the test results?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Well.... one UTM, two mail domains with the same settings - ext. IP is the same, different MX settings in DNS. One SSL cert on the UTM which doesn't include the name of the second domain. A SSL check shows different encryption settings. I hope I've expressed this in a way which is easier to understand.

    Here's the result of the second domain:

    The check for the first domain shows that only TLS1.2 is present. I know that the cert problem is a result of the domain name mismatch, but shouldn't these two domains use the same encryption settings?

  • What is the 'TLS version' selected on the 'Advanced' tab?

    This picture is two years old (Mittwoch 31. August 2016) - what does the same test show today?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • BAlfson said:
    What is the 'TLS version' selected on the 'Advanced' tab?

    Tls1.2 as written above.

    BAlfson said:
    This picture is two years old (Mittwoch 31. August 2016) - what does the same test show today?

    Indeed.....how is that possible? I've run a test for the first domain before and then entered the name of the second domain, the pic shows the result. It looks like I didn't hit the refresh button. Aaargh. Sorry for posting such a nonsense. Today's test shows the same encryption settings as for the first domain. My bad.

     

    For the second domain name in a SSL cert: Is it true that the UTM will recognize and present the correct SSL cert for both domains for SMTP connects?

  • Yes.  When you apply a multi-SAN certificate to a WAF site, UTM gives you a picklist for selecting the name to use.   When applying a wildcard certificate, it gives you a text box to specify the name.

  • Isn't he asking a different question, Doug?  I think (not sure) the UTM's SMTP Proxy uses just one TLS certificate with one FQDN for everything until the setting is changed in WebAdmin.  It's not a question I've considered before.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Good point.   I was thinking about WAF configuration.

    In SMTP, you just configure the certificate.   The remote site evaluates the certificate to see if any of the names supplied in the certificate are consistent with the host name that it was trying to reach -- if it checks certificate integrity at all.   My perception is that certificate verification for SMTP connections is rare.