Mail Encryption when the recipient has a privately signed CA

Hi rtos 

Would you please tell us if you're using Sophos UTM 9 or any other product?

Hi @Jaydeep

We use UTM 9 Version: 9.605-2

We have two SG230 In Hot Standby mode

Hi rtos 

Thanks for confirming this. If Sophos does not trust the CA, it will definitely not import S/MIME as you already mentioned. However, Would you confirm if you are seeing this behavior with any untrusted CA with CRL not configured in it?

Hi, i just checked again.

It will only import the CA´s if th CRL is Configured in the S/MIME Sginature.

What i don´t know does the Sopos automatically trust the CA it gets it from those CRL information's ?

For me it looks like it does from the Web interface, as it lists them under Local S/MIME Authorities and Enables Them by default.

.

But then it wont Import the Corresponding S/MIME Certificates as if the Authorities are not trusted.

Hi, i just checked again.

It will only import the CA´s if th CRL is Configured in the S/MIME Sginature.

What i don´t know does the Sopos automatically trust the CA it gets it from those CRL information's ?

For me it looks like it does from the Web interface, as it lists them under Local S/MIME Authorities and Enables Them by default.

.

But then it wont Import the Corresponding S/MIME Certificates as if the Authorities are not trusted.

In the Sophos UTM Manual on Page 403 there i no mentioning of auto import of CAs https://www.sophos.com/de-de/medialibrary/PDFs/documentation/utm9506_manual_eng.ashx
So i think the Sophos is not behaving as it should or am i missing something

Update, it probably does not get the CA from the link in the first screen shot which was the revocation list.
I think it downloads the certificate from here:

Then also the Fingerprint in Sophos and the one on this CA are matching

Hallo David and welcome to the UTM Community!

Is the mystery solved?

Cheers - Bob