This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

S/MIME signing/verifying of email v9.411-3

Hello

Any guidance would be appreciated please.

Our emails are signed with S/MIME certs from an external CA.

When I send an email it is delivered with a  (example from Thunderbird) of some sort to show that the email is signed, and clicking on it gives the certificate detail etc.

When I send an email to an internal user (defined on the Internal Users tab) the cert is removed and there is no way of knowing that the email was sent by an internal user or spoofed.

I've played with these options turning them on and off:

But the only way to get the  back in the emails is to remove the email recipient from the "Internal Users" tab.

Am I missing something??

Thanks in advance for any help.



This thread was automatically locked due to age.
Parents
  • Hi, Simon, and welcome to the UTM Community!

    Please explain how your configuration differs from Basic Exchange setup with SMTP Proxy, especially concerning the 'Relaying' tab.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hello Bob

    Thanks for responding, and thank you for all of your posts throughout this forum that have helped me set up my UTMs [Y]

    Incoming:
    The MX records of our domain direct email to the FQDN of our UTM.
    The UTM sanitises the email and sends it to the external mail server.
    Users download email from the external mail server.

    Outgoing:
    Outgoing mail is sent via the UTMs mail relay where it is signed and possibly encrypted.

    Global: Profile mode (the settings that follow are for the profile in question)
    Routing: Static host list -> MX records of external mail server
    Verify recipients: With callout
    Malware/Antispam/Data Protection/Exceptions: all configured as required.
    Relaying:
    Upstream Host/Networks -> MX records of external mailserver.
    Allow upstream/relay hosts only -> NOT selected.
    Allow authenticated relaying -> NOT selected.
    Host-based Relay -> Internal network.
    Scan relayed (outgoing) messages -> Selected.
    Advanced:
    Use transparent mode -> NOT selected.
    Smarthost Settings -> NOT selected.

    DNAT: Any -> SMTP SSL PORT 587 -> UTM

    Thanks.
    Simon

  • That's what I was afraid of - an external mail server.  How does your approach differ from that recommended four years ago by fellow member wingman? [HOW TO] Email Encryption using External Mail Server

    I suspect that this is an idiosyncrasy of the signing/encryption engine.  I assume that this is a paid license, so please get this issue submitted to Sophos Support and then post back here with the results.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hello Bob

    It is a frustrating problem. When an email comes in from an external user with an S/MIME cert, it's extracted OK. Email between an internal user and the external user is signed and encrypted by the UTM perfectly.

    The problem occurs when email is sent between two users that are both listed on the "Internal Users" tab of the Email Protecion->Encryption section. In this case there is no evidence of the email being signed or encrypted, even when adjusting the settings on Email Protecion->Encryption->Options.

    If I delete one of the internal users and add them to the Email Protecion->Encryption->S/MIME Certificates list email signing and encryption starts to function correctly.

    I've tried having the UTM relay the email. I've also tried having the UTM forward the outgoing email to an external smarthost, but there is no change.

    I've submitted the issue to Sophos support: Case 7043459.

    I'll post back with any news.

    Thanks again, I appreciate the support.

  • "If I delete one of the internal users and add them to the Email Protecion->Encryption->S/MIME Certificates list email signing and encryption starts to function correctly."

    What happens if the internal user is in both places?  I assumed that that was how you were configured in the first place.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Unfortunately it's not possible:

  • Looking forward to hearing Support's response!

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply Children
  • Hello

    I just wanted to post an update for the benefit of the community now that Sophos Support have made their decision:

    "Hello Simon,

    This is regarding your service request number 7042903, which you have opened with us.

    As informed earlier that by design.S/Mime signing and verification only works on outbound messages, I am closing this service request today.

    I would further request you to raise a feature request for the same by going to ideas.sophos.com

    Thank you for your patience and understanding.
    "

    So, it is by design that email is not signed or encrypted with S/MIME certs for email between internal users?!? I thought Sophos say "Dance like no one's watching. Encrypt like everyone is."

    I still think this is a secuirty issue/bug and not a feature request. Unfortunately I don't think I will be paying for Premium Support in the future.

  • Thanks for coming back and posting the answer, Simon.  Normally, email traffic is encrypted between mail servers and with clients although some people don't encrypt between clients and servers inside a private network.

    Looking back at your initial post here, I see that your concern was about spoofed emails that appear to come from internal users.  Please vote for and comment on In Anti-Spam, Expression-check everything after DATA or include From.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA