This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

PGP mail encryption with Sophos UTM

Hi everyone,

I wanted to setup e-mail encryption for a few users and thought it seemed pretty easy to setup with the built-in function of the UTM. However it turned out that it does not work as expected. I have imported a public cert from an external user and expected the mail to get encrypted automatically when I enable the appropriate options for the sending internal user. But the e-mails I send only get a digital signature and are never encrypted. Am I missing something here? Or is PGP not implemented properly on the UTM? Unfortunately there is not much information on this topic in the community nor the rest of the web. Did anyone of you get this to work properly or has any hint on what's wrong or could be checked?

Thanks in advance
Daniel



This thread was automatically locked due to age.
  • Hello,

    There is a bunch of information in the magic "?"-sign in the upper right hand corner of your Sophos UTM GUI windows ...

    This takes you to this info: your.firewall.local:4444/.../EmailProtEncryption.htm

    Quote from there:

    The entire email encryption is transparent to users, that is, no additional encryption software is required on the client side. Generally speaking, encryption requires having the destination party's certificate or public key on store. For incoming and outgoing messages, email encryption functions as follows:

    • By default, outgoing messages from internal users will be scanned, automatically signed, and encrypted using the recipient's certificate (S/MIME) or public key (OpenPGP), provided the S/MIME certificate or OpenPGP public key of the recipient is existent on Sophos UTM.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • Hallo Herr Rusch,

    despite I am also from Germany I'll keep it English to not offend others. Thanks for you quick reply.

    Exactly, that is what I have read in the help menu. I saw these lines and thought, wow that sounds easy. But, I have set it up exactly that way and encryption is not happening for whatever reason. Signing however works. Afaik there is no logging available for signing/encryption to see what's going wrong, right?

    Regards
    Daniel

  • Hallo Daniel,

    I'm a bit confused about whether you're trying to use PGP or S/MIME.  If PGP, you import the OpenPGP Public Keys for outside mail accounts with which you want to have encrypted emails exchanged.  If S/MIME, you import the certificates.  Certs don't work with PGP.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    thanks for your reply. Of course I imported the public key not a certificate and I want to use PGP. Sorry for the mixed up wording. Could it be that the public key is not compatible somehow? It was an asc file and I had no problems importing it but can there be anything wrong with that public key?

    Thanks
    Daniel

  • Here's how my public key begins:

    -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v2.0.9 (GNU/Linux)

    mQMqBFqdplkRCADNKDSKpbiHFg5ucU0/cHtC6w22yGFfof26hiEUFqAGx/dzDmA3

    It ends wit:

    =Fo30 -----END PGP PUBLIC KEY BLOCK-----

    All plain text.  Is the recipient in your organization properly configured on the 'Internal Users' tab?

         

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Mine - that means the imported one - looks like this, so it should be fine:

    -----BEGIN PGP PUBLIC KEY BLOCK-----
    Version: OpenPGP.js v4.10.10
    Comment: https://openpgpjs.org

    xjMEYjrZTxYJKwYBBAHaRw8BAQdA2knFeRi8NkkYMzj+weTHhp5t9s0OPDZH

    =EtPW
    -----END PGP PUBLIC KEY BLOCK-----

    My internal user is configured, yes. I have have disabled S/MIME but that shouldn't make a difference I assume. There isn't much to misconfigure I think so I really don't understand why it does not work.

  • That looks good, Daniel.  The only other thing I can think of is:

         

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Well, it seems it was just a "problem" with the external web client where I tested it with. It just did not show that the emails were encrypted and were seamlessly decrypted. I have now setup Thunderbird and it works like a charm. Sorry for taking your time.

    I have another question however regarding the keyservers. There are more then one public keyservers. Are they synchronized somehow? In my eyes it wouldmake sense if I can only specify one of them in the settings.

  • Weiß nicht.  Maybe someone else knows, but your reasoning seems good to me!

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA