SMTP with TLS

edited August 2019 in Firebox - Proxies

We are currently migrating some Fireboxes to FW 12.4.1 U1 and have the following question.

As the new FW supports multiple proxy certificates how is a certificate selected for use with explicit TLS over SMTP? We did not find any settings to choose a certificates.

The docs state:

_When content inspection is enabled for inbound SMTP, POP3, or IMAP over TLS traffic, the proxy uses a certificate to re-encrypt traffic after it is decrypted for inspection. You **can **use the default Proxy Server certificate for this purpose._

I suspect **can ** means you can choose to use the default or another one, but how?

Thanks a lot for your help.

Comments

  • Did you ever get an answer to this? I also cannot find anywhere to select which certificate is being used.

  • You can replace the default Proxy Server certificate with one from SMTP server.

  • Right, but you can also import a new proxy certificate and give it a name. What can you do with that? You would think that you could assign it to a proxy.

  • RalphRalph WatchGuard Representative

    Hello,

    HTTPS only at this time. For SMTP, the proxy will use the default Proxy Server certificate. Either default or custom.

  • RalphRalph WatchGuard Representative

    You don't select which certificate you want to use for SMTP. It uses the Proxy Server certificate by default. And as Bruce suggested, you would use the SMTP server's certificate+private key by uploading it to the Firebox as the Proxy Server certificate.

  • Ralph, I understand that you can upload a cert as the proxy default. My question is what can you do with a certificate if you upload it as a proxy that is not the default? I do not see anywhere that you can assign that certificate to.

  • RalphRalph WatchGuard Representative

    The OP's question was "...As the new FW supports multiple proxy certificates how is a certificate selected for use with explicit TLS over SMTP?.... " The multiple certificate support only applies to HTTPS and not SMTP. For SMTP, the proxy uses the Proxy Server certificate for TLS. This can be the default Proxy Server certificate or one from the SMTP server (recommended).

    Would you mind expanding on "....what can you do with a certificate if you upload it as a proxy that is not the default?..."

    For ".. I do not see anywhere that you can assign that certificate to....." the answer is you do not select it anywhere. Whatever the Proxy Server certificate is, that's what the SMTP proxy will use for TLS.

  • edited April 20

    Ok, then please explain how multiple certificates can be used with HTTPS.

  • RalphRalph WatchGuard Representative

    Via Content / Proxy actions...you can now select which Proxy Server certificate you want to use.

    See Policy Manager / HTTPS proxy / Select .Server based action / Set action to Inspect. Now, you can select which Proxy Server certificate you want to use.

    "....In Fireware v12.2 and higher, you can also choose to use the default Proxy Server certificate or a different Proxy Server certificate for each domain name rule. This enables you to host several different public-facing web servers and domains behind one Firebox and allow different domains to use different certificates for inbound HTTPS traffic. For more information, see Use Certificates with HTTPS Proxy Content Inspection."

  • Thank you, that explains where it can be used. Do you know if the same functionality will be available for the SMTP proxy?

  • RalphRalph WatchGuard Representative

    Yes, that's the plan to accommodate "multiple email servers behind a single Firebox" environments...

Sign In to comment.