Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 1 subscriber
  • Views 4853 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Strange problem with SMTP proxy and S/MIME certificates

apijnappels
On the UTM I configured the SMTP proxy and for one user I have imported the private key so the UTM can sign and encrypt messages.
When I use my laptop and configure it to use the UTM as SMTP server (with TLS and port 587)
I can succesfully send mails which are automatically signed and signatures check okay.

When I configure my Android phone with the same SMTP server settings mails get out, get signed but I get a message at the receiving party that the certificate is invalid.
When I do open the mail I can see it uses the same certificate which is correct. I suppose somehow the message gets changed after it has been signed, but I don't really know how to check this.
It doesn't make a difference whether I connect my phone by 3G or Wifi.

Anyone else seen this behavior of know where to look for any possible problems?


This thread was automatically locked due to age.
  • 0
    I've sent you an email signed with my S/MIME cert.  Try sending me an email from your PC and phone so I can confirm the difference and look at the headers to see if there's an issue.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    Just sent you the mails.

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • 0
    Both came through signed with no error messages.  I wonder if the issue isn't that the other clients are "complaining" because the certificate is self-sgned by your UTM.  How about a picture of the actual error message seen?

    Cheers - Bob
    PS He sent two more that were signed and encrypted, and both were processed without errors.
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    Attached I have the screenshots. Unfortunately they are in Dutch so I will try to translate where necessary.

    First picture says:
    "The digital signature of this message is invalid or not reliable"

    Second says:
    "it is possible that the content of the message has been changed. signed by arno... with RSA/SHA1"

    Last one says:
    "This message has an invalid digital signature. Open the message if you want more information."

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • 0
    Thanks, my Nederlans is very rusty! [;)]

    Hmm, I think this indicates that my UTM has the CA used to generate your certificate, but that the client that's being used to read your emails there does not.

    Cheers - Bob


    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    It's very strange since in both cases I sent the mail with the UTM as outgoing SMTP server. In the first instance I did it from my laptop (Outlook), the second was from my phone. Both are in the same Internal Network on my UTM.
    I sent both mails to the same address and used Outlook again to open the mails. The mail sent from my mobile always gives me the error.

    Now its got even more strange.... I just opened one of these mails with the warnings in OWA where I don't get the certificate warning, OWA also succesfully validates the certificate.

    Anyway, I may have a problem on the computer receiving the mails in Outlook, will first check if all intermediate and root CA's are there and are valid.

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

Unfiltered HTML