SMTP with TLS

edited August 2019 in Firebox - Proxies

We are currently migrating some Fireboxes to FW 12.4.1 U1 and have the following question.

As the new FW supports multiple proxy certificates how is a certificate selected for use with explicit TLS over SMTP? We did not find any settings to choose a certificates.

The docs state:

_When content inspection is enabled for inbound SMTP, POP3, or IMAP over TLS traffic, the proxy uses a certificate to re-encrypt traffic after it is decrypted for inspection. You **can **use the default Proxy Server certificate for this purpose._

I suspect **can ** means you can choose to use the default or another one, but how?

Thanks a lot for your help.

Comments

  • Did you ever get an answer to this? I also cannot find anywhere to select which certificate is being used.

  • You can replace the default Proxy Server certificate with one from SMTP server.

  • Right, but you can also import a new proxy certificate and give it a name. What can you do with that? You would think that you could assign it to a proxy.

  • RalphRalph WatchGuard Representative

    Hello,

    HTTPS only at this time. For SMTP, the proxy will use the default Proxy Server certificate. Either default or custom.

  • RalphRalph WatchGuard Representative

    You don't select which certificate you want to use for SMTP. It uses the Proxy Server certificate by default. And as Bruce suggested, you would use the SMTP server's certificate+private key by uploading it to the Firebox as the Proxy Server certificate.

  • Ralph, I understand that you can upload a cert as the proxy default. My question is what can you do with a certificate if you upload it as a proxy that is not the default? I do not see anywhere that you can assign that certificate to.

  • RalphRalph WatchGuard Representative

    The OP's question was "...As the new FW supports multiple proxy certificates how is a certificate selected for use with explicit TLS over SMTP?.... " The multiple certificate support only applies to HTTPS and not SMTP. For SMTP, the proxy uses the Proxy Server certificate for TLS. This can be the default Proxy Server certificate or one from the SMTP server (recommended).

    Would you mind expanding on "....what can you do with a certificate if you upload it as a proxy that is not the default?..."

    For ".. I do not see anywhere that you can assign that certificate to....." the answer is you do not select it anywhere. Whatever the Proxy Server certificate is, that's what the SMTP proxy will use for TLS.

  • edited April 2020

    Ok, then please explain how multiple certificates can be used with HTTPS.

  • RalphRalph WatchGuard Representative

    Via Content / Proxy actions...you can now select which Proxy Server certificate you want to use.

    See Policy Manager / HTTPS proxy / Select .Server based action / Set action to Inspect. Now, you can select which Proxy Server certificate you want to use.

    "....In Fireware v12.2 and higher, you can also choose to use the default Proxy Server certificate or a different Proxy Server certificate for each domain name rule. This enables you to host several different public-facing web servers and domains behind one Firebox and allow different domains to use different certificates for inbound HTTPS traffic. For more information, see Use Certificates with HTTPS Proxy Content Inspection."

  • Thank you, that explains where it can be used. Do you know if the same functionality will be available for the SMTP proxy?

  • RalphRalph WatchGuard Representative

    Yes, that's the plan to accommodate "multiple email servers behind a single Firebox" environments...

  • Sorry. I have the same problem. Where can I find which cert should be used?
    When I do a STARTTLS check, I always get the error "TLS is not an option on this server"

  • Is your internal SMTP server set up to use TLS?

  • cmccmc
    edited November 2020

    When there are multiple Proxy Server type certs, how do you specify which is the default? I just ran into this problem trying to get SMTP TLS working. The Watchguard generated Proxy Server cert was already there and I then imported a third party cert as well.

    Screenshot of certs
    https://drive.google.com/file/d/1kNsbZMru0P2qnl6QsF2XwiJehGBhvVDu/view?usp=sharing

    When testing connectivity from an external server, in this case a Connector set up in Exchange Online, I get the following message:

    450 4.4.317 Cannot connect to remote server [Message=UntrustedRoot]

    So it seems the Firebox is using the built-in cert and not the custom cert. Note that all other certs in the chain of trust were also imported to the Firebox.

    I suspect that if I simply delete the built-in Watchguard cert that it will work, however I'd like to know if there is some other way to handle this. Per previous comments multiple Proxy Server certs are supported for HTTPS but not SMTP. But if there's no way to specify which is the default for SMTP, then I don't see how you can effectively use multiple certs in any scenario where SMTP TLS is required.

    UPDATE:
    I ended up deleting the custom cert and re-importing it. It turns out that the import wizard is where you specify if this will be the Default Proxy Server cert.

    https://drive.google.com/file/d/11sEj42XUXthBy-S1S93T50cJ29kOMQkd/view?usp=sharing

    Alternatively you can import it as a secondary named cert.

Sign In to comment.