This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SPX not encrypting

Hi,

I'm trying to set up SPX encryption but can't get it to work. This is what I have done:

  • Created an SMTP profile and punting a particular domain's emails through the profile.(That domain is external to our system.)
  • Turned on SPX encryption and created an SPX template. Linked the SMTP profile to the template.
  • Run the Sophos Outlook Addin on a test PC.

When I create and attempt to encrypt an email the x-sophos-spx-encrypt header is being added, the correct profile is being used but the message is not encrypted. The only difference the receiver sees is the header and "Please treat this as Confidential" when viewing the message in Outlook. I've also tried using the [secure:password] format in the subject.

Any ideas?

It's very worrying that the x-sophos-spx-encrypt header has been added but UTM sends the message in the clear. Even if the system is not configured for SPX, the header should surely prompt UTM to quarantine the message or return is to the sender? It's unacceptable that the user asks for the email to be encrypted and it is sent cleartext.



This thread was automatically locked due to age.
Parents
  • The mail server is Exchange 2007. I set up a send connector to push emails to my test domain through Sophos and when I send the test email I can see it in the SMTP live log.
    Sophos then forwards to our mail gateway as a smart host.
  • Plz restart the SPX-Engine in the webinterface!

    By the way... you can uncheck in the relaytab under smtp, that outgoing mails will be checked by the spamfilter...

  • How do I restart the SPX engine? I see no option for this - unless it is done by turning off the option, then on again?
  • Same result - not encrypted.
  • Here's the relevant section. 10.20.10.14 is my Exchange server and 10.20.10.127 is the smart host that the UTM forwards the message to. I can't see any material difference in the live log whether the encryption x-header is present or not.

    2016:02:05-09:05:52 myutm exim-in[4951]: 2016-02-05 09:05:52 SMTP connection from [10.20.10.14]:46408 (TCP/IP connection count = 1)
    2016:02:05-09:05:53 myutm exim-in[47933]: 2016-02-05 09:05:53 H=(EXCHSRVR.mydomain.local) [10.20.10.14]:46408 Warning: externaldomain.com profile excludes greylisting: Skipping greylisting for this message
    2016:02:05-09:05:53 myutm exim-in[47933]: 2016-02-05 09:05:53 H=(EXCHSRVR.mydomain.local) [10.20.10.14]:46408 Warning: externaldomain.com profile excludes spam scan: Skipping SMTP inline spam scan for this message
    2016:02:05-09:05:53 myutm exim-in[47933]: 2016-02-05 09:05:53 1aRcKv-000CT7-1R <= sender@mydomain.com H=(EXCHSRVR.mydomain.local) [10.20.10.14]:46408 P=esmtps X=TLSv1:AES256-SHA:256 S=47064 id=0AC5A4E940165B4886C747275A158BD83FBE572CA2@EXCHSRVR.mydomain.local
    2016:02:05-09:05:53 myutm exim-in[47933]: 2016-02-05 09:05:53 SMTP connection from (EXCHSRVR.mydomain.local) [10.20.10.14]:46408 closed by QUIT
    2016:02:05-09:05:54 myutm smtpd[4903]: QMGR[4903]: 1aRcKv-000CT7-1R moved to work queue
    2016:02:05-09:06:00 myutm smtpd[47945]: SCANNER[47945]: 1aRcL2-000CTJ-Hh <= sender@mydomain.com R=1aRcKv-000CT7-1R P=INPUT S=46067
    2016:02:05-09:06:00 myutm smtpd[47945]: SCANNER[47945]: id="1000" severity="info" sys="SecureMail" sub="smtp" name="email passed" srcip="10.20.10.14" from="sender@mydomain.com" to="recipient@externaldomain.com" subject="Test encryption" queueid="1aRcL2-000CTJ-Hh" size="46067"
    2016:02:05-09:06:00 myutm smtpd[47945]: SCANNER[47945]: 1aRcKv-000CT7-1R => work R=SCANNER T=SCANNER
    2016:02:05-09:06:00 myutm smtpd[47945]: SCANNER[47945]: 1aRcKv-000CT7-1R Completed
    2016:02:05-09:06:00 myutm exim-out[47949]: 2016-02-05 09:06:00 1aRcL2-000CTJ-Hh => recipient@externaldomain.com P=<sender@mydomain.com> R=static_route_hostlist T=static_smtp H=10.20.10.127 [10.20.10.127]:25 C="250 2.0.0 Message received OK"
    2016:02:05-09:06:00 myutm exim-out[47949]: 2016-02-05 09:06:00 1aRcL2-000CTJ-Hh Completed

  • Did you check the header of the mail that you receive? You should find the x-sophos-spx-encrypt tag in there.

    This is my livelog:

    2016:02:08-09:17:30 sophos smtpd[32725]: SCANNER[32725]: id="1000" severity="info" sys="SecureMail" sub="smtp" name="email passed" srcip="xxx" from="sender@mydomain" to="receiver@remotedomain" subject="test" queueid="1aSh0k-0008Vp-En" size="14330" reason="spx" extra=""
    2016:02:08-09:17:30 sophos smtpd[32725]: SCANNER[32725]: 1aSh0k-0008Vp-En [SPX] SPX Encryption starts with profile: REF_template and password type: recipientspec
    2016:02:08-09:17:30 sophos smtpd[32725]: SCANNER[32725]: 1aSh0k-0008Vp-En [SPX] SPX encryption was successfull
    2016:02:08-09:17:30 sophos smtpd[32725]: SCANNER[32725]: 1aSh0e-0008Vo-1R => work R=SCANNER T=SCANNER
    2016:02:08-09:17:30 sophos smtpd[32725]: SCANNER[32725]: 1aSh0e-0008Vo-1R Completed
Reply
  • Did you check the header of the mail that you receive? You should find the x-sophos-spx-encrypt tag in there.

    This is my livelog:

    2016:02:08-09:17:30 sophos smtpd[32725]: SCANNER[32725]: id="1000" severity="info" sys="SecureMail" sub="smtp" name="email passed" srcip="xxx" from="sender@mydomain" to="receiver@remotedomain" subject="test" queueid="1aSh0k-0008Vp-En" size="14330" reason="spx" extra=""
    2016:02:08-09:17:30 sophos smtpd[32725]: SCANNER[32725]: 1aSh0k-0008Vp-En [SPX] SPX Encryption starts with profile: REF_template and password type: recipientspec
    2016:02:08-09:17:30 sophos smtpd[32725]: SCANNER[32725]: 1aSh0k-0008Vp-En [SPX] SPX encryption was successfull
    2016:02:08-09:17:30 sophos smtpd[32725]: SCANNER[32725]: 1aSh0e-0008Vo-1R => work R=SCANNER T=SCANNER
    2016:02:08-09:17:30 sophos smtpd[32725]: SCANNER[32725]: 1aSh0e-0008Vo-1R Completed
Children
  • Hi,
    Yes x-sophos-spx-encrypt is added to the header. My live log looks the same whether I've asked for encryption or not.
  • What happens, if you activate an spx-template to all smtp-profiles?
  • I have not tried that. It's a live system so I would do any such testing out of hours.
    I don't think it would make any difference though - I am 100% sure the test emails are using the correct profile.
  • Ok, I´ve checked something:

    this is the log with spx enabled:

    sophos smtpd[32725]: SCANNER[32725]: id="1000" severity="info" sys="SecureMail" sub="smtp" name="email passed" srcip="xxx" from="sender@mydomain" to="receiver@remotedomain" subject="test" queueid="1aSh0k-0008Vp-En" size="14330" reason="spx" extra=""

    if I disable SPX:

    SCANNER[18198]: id="1000" severity="info" sys="SecureMail" sub="smtp" name="email passed" srcip="xxx" from="sender@mydomain" to="receiver@remotedomain" subject="test" queueid="1aSm0A-0004jW-43" size="14330"

    The reason="spx" tag is not avaible, if spx is not assigned...

    If you activate the spx-encryption for all other smtp-profiles for a while it should not disturb... what do you mean?
  • OK I set my SPX template as the SPX Global Template and it is no different. I also tried using the Sophos default template, but no luck there either.

    It is a major problem that Sophos is passing emails in the clear if they are tagged as x-sophos-spx-encrypt and/or with [secure:password] in the subject.
    There's no sanity check here - the user cannot rely on the encryption mechanism because if there is a problem or misconfiguration the email may be sent in the clear - this is far from acceptable.

    Even if SPX is turned off, Sophos should recognise the fact that encryption is being attempted and as a minimum should quarantine the message, preferably notifying the sender.
  • Please tell us what Sophos Support says about this.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • It turns out that it was misconfigured. I was setting up a test system and was trying to apply a profile to a particular recipient domain, so in Email Protection / SMTP Profiles / [Profile] / Domains I put in the test recipient domain.

    While this worked as a way of getting my messages routed through the test SPX template, UTM thinks that because the domain is listed in the Domains box it is an internal domain not an external one - and doesn't apply the encryption.