Advisory: Sophos XG Firewall email fails to send to servers that only support TLS 1.0

On a Sophos XG Firewall with version 17, with email protection enabled, some recipient servers fail to negotiate a TLS 1.0 connection and the email fails to send.

Applies to the following Sophos product(s) and version(s)

Sophos Firewall

In v17 some emails will not be delivered to the recipient server, either incoming or outgoing.

There will be a UI change that will allow the admin of the firewall to disable/enable TLS1.0 for email communication.

Email behavior will change when TLS cannot be correctly negotiated and will fall back to plain text.

Fix to be released in v17 MR2.

For incoming email an administrator can add their email servers to the Skip TLS Negotiation Hosts/Nets field under Email > General Settings > SMTP TLS Configuration section

For outgoing mail, please log a support request and reference this KB article.

Note the domains that mail is failing to be sent to and lookup the MX records, add all IP Addresses to the Skip TLS Negotiation Hosts/Nets field under Email > General Settings > SMTP TLS Configuration section. This is a tedious process as it involves continuous monitoring.

The other option is to edit the mta.conf file from the shell of the XG Firewall and restart the awarrenmta service. Before making any command line changes we recommend creating a backup of your system. Please use a reliable SSH client, like Putty before making changes. If you have any questions or concerns call support for assistance in following these steps:

  1. Login to the command line interface of the Sophos XG Firewall with Putty.
  2. Select option 5. Device Management.
  3. Select option 3. Advanced Shell.
  4. Put file system into write mode: mount -n -o remount,rw /
  5. Use VI to edit the file: vi /static/proxy/smtp/mta.conf
  6. Look for the line with disable_tls1 yes
  7. Change from yes to no.
  8. Save and write changes :wq from the vi command line, (press ESC to reach the command line).
  9. Restart awarrentmta service: service awarrenmta:restart -ds nosync
  10. Put system back into read-only mode: mount -n -o remount,ro /
  11. The change is now in effect.

The other option is to edit the smtp.conf file from the shell of the XG Firewall and restart the awarrensmtp service. Before making any command line changes we recommend creating a backup of your system. Please use a reliable SSH client, like Putty before making changes. If you have any questions or concerns call support for assistance in following these steps:

  1. Login to the command line interface of the Sophos XG Firewall with Putty.
  2. Select option 5. Device Management.
  3. Select option 3. Advanced Shell.
  4. Put file system into write mode: mount -n -o remount,rw /
  5. Use VI to edit the file: vi /static/proxy/smtp/smtp.conf
  6. Look for the line with disable_tls1 yes
  7. Change from yes to no.
  8. Save and write changes :wq from the vi command line, (press ESC to reach the command line).
  9. Restart awarrentmta service: service awarrensmtp:restart -ds nosync
  10. Put system back into read-only mode: mount -n -o remount,ro /
  11. The change is now in effect.

This article will be updated when information becomes available.

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts

Leave a Reply