SG UTM

Suggest, discuss, and vote on new ideas for SG UTM. The ultimate network security package.

Suggest an Idea...

Email Protection : TLS Version and Ciphersuite selection

Dear Sophos Team,

please add an TLS Version selector to the Email Protection settings, like it's already done in "Webserver Protection > WAF > Advanced".

In addition, please add an Ciphersuite Selector, so advanced users can specify further down which ciphersuite ( ECDH-* / DHE-*/ AES-*/ .. / ) they want to use.

27 votes
Sign in
(thinking…)
Sign in with: Facebook Google Sophos Features & Ideas Laboratory
Signed in as (Sign out)

We’ll send you updates on this idea

Anonymous shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

5 comments

Sign in
(thinking…)
Sign in with: Facebook Google Sophos Features & Ideas Laboratory
Signed in as (Sign out)
Submitting...
An error occurred while saving the comment
  • Christian commented  ·   ·  Flag as inappropriate

    Please add support to make Tls 1.2 for SMTP mandatory with means to make exceptions to that.

  • FosterDoug commented  ·   ·  Flag as inappropriate

    This is an odd thing for the PCI scan to be worried about. If the encryption setup is rejected for using an insufficiently-secure ciphersuite, then it will fall back to an unencrypted connection. This does nothing to prevent a man-in-the-middle downgrade attack, it only makes things easier for the attacker. For email, poor encryption is better than none.

    Disabling unencrypted email is not viable, because too much legitimate mail still arrives unencrypted.

    I guess ciphersuite control could be important for TLS-required correspondents, but I have found no uses for this feature. Even one of the biggest insurance companies, which uses encrypted communication everywhere that it might needed, does not use encryption for marketing information sent under their identity.

    If you are not doing encryption-required, the PCI scan issue is silly, and you should just post an exception to the objection.

  • YASU (Yet another Sophos user) commented  ·   ·  Flag as inappropriate

    ....and please add the TLS selector _immediately_. To be PCI Compliant all TLS V1 settings have to be deactivated and actually this is still a manual job, editing a conf-file. This is more than oldschool. And if I forget to control the exim-settings (Every update resets the manual settings), the external *********** test fails and has to be repeated. Please!

Feedback and Knowledge Base

icon-data-protection icon-endpoint-protection icon-phish-threat icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-mobile icon-sophos-utm icon-sophos-utm icon-sophos-utm icon-web-appliance icon-xg-firewall icon-xg-firewall icon-avid-secure icon-lightbulbCreated with Sketch.