This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Email Protection on All Interfaces - How to block for PCI

Have a 220 running latest (9.4) version of UTM 9. Have email protection. It listens across all interfaces. That sounds like a really silly method of doing that to me, but that's how it works. 

It fails PCI scans because the certificate is a self-signed certificate. A solution is not to "buy a proper certificate" because in this particular case there are multiple domains behind the firewall. For which would the customer buy a cert?  

One solution would be to block or disable SMTP ports across everything but the main interface. Sophos support tells me you can't do that. 

Certainly there is a way to do this otherwise this UTM 220 gets tossed. 

Thanks. 



This thread was automatically locked due to age.
Parents
  • Hi, Jon, and welcome to the UTM Community!

    If you check The Zeroeth Rule in Rulz, you will see the importance of the host name given to the UTM.  The only cert needed is for the domain in that host name or for the 'SMTP hostname', if specified, in 'Advanced Settings' on the 'Advanced' tab.

    As for blocking port 25 on other interfaces, there is a simple workaround based on #2 in Rulz: create a Network Group containing all of the "(Address)" objects representing the IPs where SMTP should be blocked and then create a "blackhole DNAT" to send the traffic to a non-existent IP.  You don't need this trick though as the correct solution was in my first paragraph.

    Cheers - Bob

    PS Give yourself a little time to learn this tool before you throw it out.  If your current reseller doesn't have the skills with the UTM that you need, call Sophos Sales and ask for a recommendation.

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Actually, I am a reseller.... out of Minnesota. 

    I knew of this solution, but I wanted to see if there were other suggestions. 

    Problem of a "real" cert is that there are multiple multiple domains behind this firewall, so a single cert won't cut it. 

    Sophos support told me there was no possible way to shut off the email protection ports across all interfaces.

    I will propose this as solution and we'll see if this passes PCI. 

    Thanks, 

    Jon Johnston

    Creative Business Solutions

Reply
  • Actually, I am a reseller.... out of Minnesota. 

    I knew of this solution, but I wanted to see if there were other suggestions. 

    Problem of a "real" cert is that there are multiple multiple domains behind this firewall, so a single cert won't cut it. 

    Sophos support told me there was no possible way to shut off the email protection ports across all interfaces.

    I will propose this as solution and we'll see if this passes PCI. 

    Thanks, 

    Jon Johnston

    Creative Business Solutions

Children
  • Minnesota - Wish I'd been there several weeks ago, Jon, when the highs here were over 100 for ten days!

    It should pass PCI as long as the cert matches the SMTP name.  There can be many domains behind a single MTA as the sending server just looks for a valid cert to begin negotiating an encrypted tunnel.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA