Thread Info
  • State Not Answered
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 21 replies
  • Subscribers 4 subscribers
  • Views 37629 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

S/MIME certificates are not extracted

hagman_01
In Astaro 8.311, I have configured (under Mail security - Encryption - Options) automatic extraction of S/MIME certificates.
However, it never happens that S/MIME certificates get extracted and listed under Mail security - Encryption - S/MIME certificates. The list remains empty.
I have received several signed mails from external, where the user certificate (A) was signed by an intermediate certificate (B) and the intermediate certificate (B) was signed by a standard VeriSIgn certificate (C).
I have verified that C occurs among Mail security - Encryption - S/MIME CAs
I have also added B manually to that list and received signed mails after that. 
Still no success.
The way I understand this feature, an incoming mail signed with certificate A should cause A to appear under Mail security - Encryption - S/MIME certificates after a few minutes ...

What's wrong here? [:S]


This thread was automatically locked due to age.
Parents
  • 0
    I'm still having this problem with 9.106-17 - Any new ideas? For exmaple, any logging that might shed insights?
  • 0 in reply to hagman_01

    Bumping this thread: Meanwhile we have UTM 9.413-4 and the problem is still there, even after so many years.

    I just tested the situation once more with an incoming mail,

    • which was signed by a user certificate,
    • which is signed by "COMODO SHA-256 Client Authentication and Secure Email CA" (not in list) as intermediate,
    • and this again signed by "AddTrust External CA Root" (in the list of "global S/MIME CAs", verified by comparing fingerprints).

    I also tested with another incoming mail,

    • signed by a user certificate,
    • this signed by "StartCom CA StartCom CC ICA" as intermediate (previously imported by me into the list of local CAs),
    • this again signed by "StartCom CA StartCom Certification Authority ECC" as root CA (previously imported by me into the list of local CAs).

    Neither of these mails triggered the automatic S/MIME certificate extraction. My list under "S/MIME certificates" is still empty.

    I do not find any interesting lines in the smtp.log, either (or would I have to look elsewhere?)

    It would be really great if this problem could be resolved, finally.

    P.S.: I noticed some strangeness, but don't know if that is in any way related to the bug: The format how fingerprints are displayed differ between global and local CAs in that local CA fingerprints are displayed (via the info icon) as pure hex digit sequence (e.g., "Fingerprint: DA1D80BCF06499E616B8C51226A1C62D7ADAD751") whereas global CA fingerprints are grouped by colons (e.g., "Fingerprint: B5:61:EB:EA:A4:DE:E4:25:4B:69:1A:98:A5:57:47:C2:34:C7:D9:71").

  • 0 in reply to hagman_01

    Anyone got that working?

    Same situation here as hagman_01. Using UTM 9.503. Evaluating Mail Protection at the moment to see if it's worth buying it.

    As this thread is many years old and only few guys replied my hope isn't increased.

    -

  • 0 in reply to Alexander Busch

    Loading the UTM with CAs that have an intermediate CA is tricky.  You have a PM with my email address.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to Alexander Busch

    Our UTM automatically stripped the certificate from Alex' email:

    If your UTM isn't doing this, then it's a configuration issue there.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    BAlfson said:

    Loading the UTM with CAs that have an intermediate CA is tricky. 

    And what is the trick? I for my part tried with importing both the senders root and intermediate cert without success (situation unchanged for several years) ...

  • 0 in reply to BAlfson

    OK, thanks Bob. I opened a ticket at Sophos support. We will see...

    @hagman_01: Did you contacted support regarding that?

    -

  • 0 in reply to hagman_01

    Here's an example of how to create a p12 file with Windows OpenSSL that works to get a correct import with an intermediate CA.

    From the directory containing the CAs, your cer file and your private key (all on one line):

    C:\Program Files (x86)\OpenSSL-Win64\bin\openssl.exe pkcs12 -export -in -certfile Comodo.Root.CA.file -certfile Comodo.Intermediate.CA.file sub.domain.com.cer -inkey sub.domain.com.private.key -out sub.domain.com.p12

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Can you elaborate on the issues related to Intermediate CAs?   My experience is only with web traffic certificates.

    For web traffic, the server is supposed to send both the identity certificate and the intermediate certificate.   For S/MIME, is the same behavior expected, so that the email includes the intermediate certificate, or is the receiving system supposed to use AIA Fetching to find the intermediate certificate?

    UTM Web Filtering does not do AIA Fetching, at least in the versio that I am running, and a significant percentage of sites do not provide the intermediate certificate.   So I have gradually built a database of Intermediate certificates that I have loaded inot WEb Proxy as a CA.   This solves the Web Proxy problem.   I wonder if htis is necessary for your S/MIME traffic as well.

Reply
  • 0 in reply to BAlfson

    Can you elaborate on the issues related to Intermediate CAs?   My experience is only with web traffic certificates.

    For web traffic, the server is supposed to send both the identity certificate and the intermediate certificate.   For S/MIME, is the same behavior expected, so that the email includes the intermediate certificate, or is the receiving system supposed to use AIA Fetching to find the intermediate certificate?

    UTM Web Filtering does not do AIA Fetching, at least in the versio that I am running, and a significant percentage of sites do not provide the intermediate certificate.   So I have gradually built a database of Intermediate certificates that I have loaded inot WEb Proxy as a CA.   This solves the Web Proxy problem.   I wonder if htis is necessary for your S/MIME traffic as well.

Children
No Data
Unfiltered HTML