This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SPX not encrypting

Hi,

I'm trying to set up SPX encryption but can't get it to work. This is what I have done:

Created an SMTP profile and punting a particular domain's emails through the profile.(That domain is external to our system.)
Turned on SPX encryption and created an SPX template. Linked the SMTP profile to the template.
Run the Sophos Outlook Addin on a test PC.

When I create and attempt to encrypt an email the x-sophos-spx-encrypt header is being added, the correct profile is being used but the message is not encrypted. The only difference the receiver sees is the header and "Please treat this as Confidential" when viewing the message in Outlook. I've also tried using the [secure:password] format in the subject.

Any ideas?

It's very worrying that the x-sophos-spx-encrypt header has been added but UTM sends the message in the clear. Even if the system is not configured for SPX, the header should surely prompt UTM to quarantine the message or return is to the sender? It's unacceptable that the user asks for the email to be encrypted and it is sent cleartext.

This thread was automatically locked due to age.

Parents

0 Nitron over 8 years ago

The mail server is Exchange 2007. I set up a send connector to push emails to my test domain through Sophos and when I send the test email I can see it in the SMTP live log.
Sophos then forwards to our mail gateway as a smart host.
Cancel
Vote Up 0 Vote Down

Cancel
0 ThorstenSult over 8 years ago in reply to Nitron

Plz restart the SPX-Engine in the webinterface!

By the way... you can uncheck in the relaytab under smtp, that outgoing mails will be checked by the spamfilter...
Cancel
Vote Up 0 Vote Down

Cancel
0 Nitron over 8 years ago in reply to ThorstenSult

How do I restart the SPX engine? I see no option for this - unless it is done by turning off the option, then on again?
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Nitron over 8 years ago in reply to ThorstenSult

How do I restart the SPX engine? I see no option for this - unless it is done by turning off the option, then on again?
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 ThorstenSult over 8 years ago in reply to Nitron

right!
Cancel
Vote Up 0 Vote Down

Cancel
0 Nitron over 8 years ago in reply to ThorstenSult

Same result - not encrypted.
Cancel
Vote Up 0 Vote Down

Cancel
0 ThorstenSult over 8 years ago in reply to Nitron

Plz post livelog!
Cancel
Vote Up 0 Vote Down

Cancel
0 Nitron over 8 years ago in reply to ThorstenSult

Here's the relevant section. 10.20.10.14 is my Exchange server and 10.20.10.127 is the smart host that the UTM forwards the message to. I can't see any material difference in the live log whether the encryption x-header is present or not.

2016:02:05-09:05:52 myutm exim-in[4951]: 2016-02-05 09:05:52 SMTP connection from [10.20.10.14]:46408 (TCP/IP connection count = 1)
2016:02:05-09:05:53 myutm exim-in[47933]: 2016-02-05 09:05:53 H=(EXCHSRVR.mydomain.local) [10.20.10.14]:46408 Warning: externaldomain.com profile excludes greylisting: Skipping greylisting for this message
2016:02:05-09:05:53 myutm exim-in[47933]: 2016-02-05 09:05:53 H=(EXCHSRVR.mydomain.local) [10.20.10.14]:46408 Warning: externaldomain.com profile excludes spam scan: Skipping SMTP inline spam scan for this message
2016:02:05-09:05:53 myutm exim-in[47933]: 2016-02-05 09:05:53 1aRcKv-000CT7-1R <= sender@mydomain.com H=(EXCHSRVR.mydomain.local) [10.20.10.14]:46408 P=esmtps X=TLSv1:AES256-SHA:256 S=47064 id=0AC5A4E940165B4886C747275A158BD83FBE572CA2@EXCHSRVR.mydomain.local
2016:02:05-09:05:53 myutm exim-in[47933]: 2016-02-05 09:05:53 SMTP connection from (EXCHSRVR.mydomain.local) [10.20.10.14]:46408 closed by QUIT
2016:02:05-09:05:54 myutm smtpd[4903]: QMGR[4903]: 1aRcKv-000CT7-1R moved to work queue
2016:02:05-09:06:00 myutm smtpd[47945]: SCANNER[47945]: 1aRcL2-000CTJ-Hh <= sender@mydomain.com R=1aRcKv-000CT7-1R P=INPUT S=46067
2016:02:05-09:06:00 myutm smtpd[47945]: SCANNER[47945]: id="1000" severity="info" sys="SecureMail" sub="smtp" name="email passed" srcip="10.20.10.14" from="sender@mydomain.com" to="recipient@externaldomain.com" subject="Test encryption" queueid="1aRcL2-000CTJ-Hh" size="46067"
2016:02:05-09:06:00 myutm smtpd[47945]: SCANNER[47945]: 1aRcKv-000CT7-1R => work R=SCANNER T=SCANNER
2016:02:05-09:06:00 myutm smtpd[47945]: SCANNER[47945]: 1aRcKv-000CT7-1R Completed
2016:02:05-09:06:00 myutm exim-out[47949]: 2016-02-05 09:06:00 1aRcL2-000CTJ-Hh => recipient@externaldomain.com P=<sender@mydomain.com> R=static_route_hostlist T=static_smtp H=10.20.10.127 [10.20.10.127]:25 C="250 2.0.0 Message received OK"
2016:02:05-09:06:00 myutm exim-out[47949]: 2016-02-05 09:06:00 1aRcL2-000CTJ-Hh Completed
Cancel
Vote Up 0 Vote Down

Cancel
0 ThorstenSult over 8 years ago in reply to Nitron

Did you check the header of the mail that you receive? You should find the x-sophos-spx-encrypt tag in there.

This is my livelog:

2016:02:08-09:17:30 sophos smtpd[32725]: SCANNER[32725]: id="1000" severity="info" sys="SecureMail" sub="smtp" name="email passed" srcip="xxx" from="sender@mydomain" to="receiver@remotedomain" subject="test" queueid="1aSh0k-0008Vp-En" size="14330" reason="spx" extra=""
2016:02:08-09:17:30 sophos smtpd[32725]: SCANNER[32725]: 1aSh0k-0008Vp-En [SPX] SPX Encryption starts with profile: REF_template and password type: recipientspec
2016:02:08-09:17:30 sophos smtpd[32725]: SCANNER[32725]: 1aSh0k-0008Vp-En [SPX] SPX encryption was successfull
2016:02:08-09:17:30 sophos smtpd[32725]: SCANNER[32725]: 1aSh0e-0008Vo-1R => work R=SCANNER T=SCANNER
2016:02:08-09:17:30 sophos smtpd[32725]: SCANNER[32725]: 1aSh0e-0008Vo-1R Completed
Cancel
Vote Up 0 Vote Down

Cancel
0 Nitron over 8 years ago in reply to ThorstenSult

Hi,
Yes x-sophos-spx-encrypt is added to the header. My live log looks the same whether I've asked for encryption or not.
Cancel
Vote Up 0 Vote Down

Cancel
0 ThorstenSult over 8 years ago in reply to Nitron

What happens, if you activate an spx-template to all smtp-profiles?
Cancel
Vote Up 0 Vote Down

Cancel
0 Nitron over 8 years ago in reply to ThorstenSult

I have not tried that. It's a live system so I would do any such testing out of hours.
I don't think it would make any difference though - I am 100% sure the test emails are using the correct profile.
Cancel
Vote Up 0 Vote Down

Cancel
0 ThorstenSult over 8 years ago in reply to Nitron

Ok, I´ve checked something:

this is the log with spx enabled:

sophos smtpd[32725]: SCANNER[32725]: id="1000" severity="info" sys="SecureMail" sub="smtp" name="email passed" srcip="xxx" from="sender@mydomain" to="receiver@remotedomain" subject="test" queueid="1aSh0k-0008Vp-En" size="14330" reason="spx" extra=""

if I disable SPX:

SCANNER[18198]: id="1000" severity="info" sys="SecureMail" sub="smtp" name="email passed" srcip="xxx" from="sender@mydomain" to="receiver@remotedomain" subject="test" queueid="1aSm0A-0004jW-43" size="14330"

The reason="spx" tag is not avaible, if spx is not assigned...

If you activate the spx-encryption for all other smtp-profiles for a while it should not disturb... what do you mean?
Cancel
Vote Up 0 Vote Down

Cancel
0 Nitron over 8 years ago in reply to ThorstenSult

OK I set my SPX template as the SPX Global Template and it is no different. I also tried using the Sophos default template, but no luck there either.

It is a major problem that Sophos is passing emails in the clear if they are tagged as x-sophos-spx-encrypt and/or with [secure:password] in the subject.
There's no sanity check here - the user cannot rely on the encryption mechanism because if there is a problem or misconfiguration the email may be sent in the clear - this is far from acceptable.

Even if SPX is turned off, Sophos should recognise the fact that encryption is being attempted and as a minimum should quarantine the message, preferably notifying the sender.
Cancel
Vote Up 0 Vote Down

Cancel