When we do a test on www.internet.nl/.../*ourdomain* we are getting the following errors back:
Key exchange parameters:
At least one of your mail servers supports insufficiently secure parameters for Diffie-Hellman key exchange.
And the following:
At least one of your mailservers does not enforce its own cipher preference ('I').
our domain : none
We are using Sophos UTM 9 version 9.707-5
How can we fix the errors on test?
Ahhh, I didn't read closely enough. I guess your TLS certificate is the problem. You can generate a new one with a 4096-bit key to replace the one you're currently using. Better luck with that…
Hi Wesley van den Brink,
Thank you for reaching out to the Community!
Would it be possible for you to share email protection configuration detail from your firewall?
Good morning Patel,
Maybe a stupid question. But how can i get this? (this device is new for me)
Hoi Wesley and welcome to the UTM Community!
Cheers - Bob
Require TLS Neg Sender Domains are only domain names no wildcard.
And, what happens if you put "Any" in '... Sender Domains'?
TLS v1.2 is required in the EU, so, depending on your organization's correspondents, you may not need to worry about this. In the USA, I see many domains that aren't at 1.2.
Anyipv4 and ipv6 are in now, problem is stil there.At least one of your mail servers supports insufficiently secure parameters for Diffie-Hellman key exchange.
And this one:
At least one of your mailservers does not enforce its own cipher preference ('I').Technical details:
Ahhh, I didn't read closely enough. I guess your TLS certificate is the problem. You can generate a new one with a 4096-bit key to replace the one you're currently using. Better luck with that, Wesley?
Put in a 4096 Bits certificate but same error message (2048 is generally aproved and a valid one, but we could always try)
After using the new cert a reboot was done.
When i check the test on the sophos.com domain i see the same errors are there.
So i would think its a default setting from the Sophos UTM 9
So, it's the cert at mx.*****.nl. What happens if you change that?
Allready changed the certificate for a 4096 bit but stil the same errors.
I contacted our certificate supplier but they are saying that its not the certificate but it need to be change on the UTM.
Their translated message:
Furthermore, the links you send are aimed at the Cipher Suites and/or Protocols that are used. This is not something that can be set on the certificate, but this is done at the server level. It is best to contact the supplier of the product for any adjustments.