Reflexion will be End-of-life on March 31,2023. See Sophos Reflexion EoL FAQs to learn more.
I wanted to setup e-mail encryption for a few users and thought it seemed pretty easy to setup with the built-in function of the UTM. However it turned out that it does not work as expected. I have imported a public cert from an external user and expected the mail to get encrypted automatically when I enable the appropriate options for the sending internal user. But the e-mails I send only get a digital signature and are never encrypted. Am I missing something here? Or is PGP not implemented properly on the UTM? Unfortunately there is not much information on this topic in the community nor the rest of the web. Did anyone of you get this to work properly or has any hint on what's wrong or could be checked?
Thanks in advanceDaniel
There is a bunch of information in the magic "?"-sign in the upper right hand corner of your Sophos UTM GUI windows ...
This takes you to this info: your.firewall.local:4444/.../EmailProtEncryption.htm
Quote from there:
The entire email encryption is transparent to users, that is, no additional encryption software is required on the client side. Generally speaking, encryption requires having the destination party's certificate or public key on store. For incoming and outgoing messages, email encryption functions as follows:
Mit freundlichem Gruß, best regards from Germany,
New Vision GmbH, GermanySophos Silver-Partner
If a post solves your question please use the 'Verify Answer' button.
Hallo Herr Rusch,
despite I am also from Germany I'll keep it English to not offend others. Thanks for you quick reply.
Exactly, that is what I have read in the help menu. I saw these lines and thought, wow that sounds easy. But, I have set it up exactly that way and encryption is not happening for whatever reason. Signing however works. Afaik there is no logging available for signing/encryption to see what's going wrong, right?
I'm a bit confused about whether you're trying to use PGP or S/MIME. If PGP, you import the OpenPGP Public Keys for outside mail accounts with which you want to have encrypted emails exchanged. If S/MIME, you import the certificates. Certs don't work with PGP.
Cheers - Bob
thanks for your reply. Of course I imported the public key not a certificate and I want to use PGP. Sorry for the mixed up wording. Could it be that the public key is not compatible somehow? It was an asc file and I had no problems importing it but can there be anything wrong with that public key?
Here's how my public key begins:
-----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v2.0.9 (GNU/Linux)
It ends wit:
=Fo30 -----END PGP PUBLIC KEY BLOCK-----
All plain text. Is the recipient in your organization properly configured on the 'Internal Users' tab?
Mine - that means the imported one - looks like this, so it should be fine:
-----BEGIN PGP PUBLIC KEY BLOCK-----Version: OpenPGP.js v4.10.10Comment: https://openpgpjs.orgxjMEYjrZTxYJKwYBBAHaRw8BAQdA2knFeRi8NkkYMzj+weTHhp5t9s0OPDZH=EtPW-----END PGP PUBLIC KEY BLOCK-----
My internal user is configured, yes. I have have disabled S/MIME but that shouldn't make a difference I assume. There isn't much to misconfigure I think so I really don't understand why it does not work.
That looks good, Daniel. The only other thing I can think of is:
Well, it seems it was just a "problem" with the external web client where I tested it with. It just did not show that the emails were encrypted and were seamlessly decrypted. I have now setup Thunderbird and it works like a charm. Sorry for taking your time.
I have another question however regarding the keyservers. There are more then one public keyservers. Are they synchronized somehow? In my eyes it wouldmake sense if I can only specify one of them in the settings.
Weiß nicht. Maybe someone else knows, but your reasoning seems good to me!