PGP mail encryption with Sophos UTM

Hello,

There is a bunch of information in the magic "?"-sign in the upper right hand corner of your Sophos UTM GUI windows ...

This takes you to this info: your.firewall.local:4444/.../EmailProtEncryption.htm

Quote from there:

The entire email encryption is transparent to users, that is, no additional encryption software is required on the client side. Generally speaking, encryption requires having the destination party's certificate or public key on store. For incoming and outgoing messages, email encryption functions as follows:

• By default, outgoing messages from internal users will be scanned, automatically signed, and encrypted using the recipient's certificate (S/MIME) or public key (OpenPGP), provided the S/MIME certificate or OpenPGP public key of the recipient is existent on Sophos UTM.

Hallo Herr Rusch,

despite I am also from Germany I'll keep it English to not offend others. Thanks for you quick reply.

Exactly, that is what I have read in the help menu. I saw these lines and thought, wow that sounds easy. But, I have set it up exactly that way and encryption is not happening for whatever reason. Signing however works. Afaik there is no logging available for signing/encryption to see what's going wrong, right?

Regards
Daniel

Hallo Daniel,

I'm a bit confused about whether you're trying to use PGP or S/MIME.  If PGP, you import the OpenPGP Public Keys for outside mail accounts with which you want to have encrypted emails exchanged.  If S/MIME, you import the certificates.  Certs don't work with PGP.

Cheers - Bob

Hi Bob,

thanks for your reply. Of course I imported the public key not a certificate and I want to use PGP. Sorry for the mixed up wording. Could it be that the public key is not compatible somehow? It was an asc file and I had no problems importing it but can there be anything wrong with that public key?

Thanks
Daniel

Hi Bob,

thanks for your reply. Of course I imported the public key not a certificate and I want to use PGP. Sorry for the mixed up wording. Could it be that the public key is not compatible somehow? It was an asc file and I had no problems importing it but can there be anything wrong with that public key?

Thanks
Daniel

Here's how my public key begins:

-----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v2.0.9 (GNU/Linux)

mQMqBFqdplkRCADNKDSKpbiHFg5ucU0/cHtC6w22yGFfof26hiEUFqAGx/dzDmA3

It ends wit:

=Fo30 -----END PGP PUBLIC KEY BLOCK-----

All plain text.  Is the recipient in your organization properly configured on the 'Internal Users' tab?

Cheers - Bob

Mine - that means the imported one - looks like this, so it should be fine:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: OpenPGP.js v4.10.10
Comment: https://openpgpjs.org

xjMEYjrZTxYJKwYBBAHaRw8BAQdA2knFeRi8NkkYMzj+weTHhp5t9s0OPDZH

=EtPW
-----END PGP PUBLIC KEY BLOCK-----

My internal user is configured, yes. I have have disabled S/MIME but that shouldn't make a difference I assume. There isn't much to misconfigure I think so I really don't understand why it does not work.

That looks good, Daniel.  The only other thing I can think of is:

Cheers - Bob

Well, it seems it was just a "problem" with the external web client where I tested it with. It just did not show that the emails were encrypted and were seamlessly decrypted. I have now setup Thunderbird and it works like a charm. Sorry for taking your time.

I have another question however regarding the keyservers. There are more then one public keyservers. Are they synchronized somehow? In my eyes it wouldmake sense if I can only specify one of them in the settings.

Weiß nicht.  Maybe someone else knows, but your reasoning seems good to me!

Cheers - Bob