2day > KnowHow > Sophos > Sophos UTM TLS negotiation failed

Sophos UTM TLS negotiation failed


Offenbar gibt es bei einigen Mailprovidern (z.B. Bluewin, Gmail, etc.) Probleme beim Versenden von Mails an eine Astaro/Sophos UTM Box mit Email-Security seit Version 9.210 von Sophos. Der Absender erhält eine Antwort, dass seine Mail nicht zugestellt werden konnte wegen "TLS negotiation failed".

Dieses Problem kann mit einem Editieren einer Datei unter Linux auf der Sophos-Box gelöst werden oder aber man geht via GUI auf EMail-Security, Advanced und trägt unter "Skip TLS negotiation hosts/net" temporär "ANY" ein.

Alternativ via shell:   thx ALEX!

1.Log into the shell with the "loginuser" account, through putty
2.The password for the shell normally isn't the same as your password to log into the webadmin. If you don't know your shell password, navigate to the following page to reset it: Management -> Shell Access-> Shell user passwords. Change the password for the “loginuser” EN “root” user. Then, log into the shell with the newly set passwords.
3.Type: su <press enter>. You'll be asked to enter a password. Enter the “root” password here.
4.Exactly type what is described below into the console:


For version 9.210
1.Type: cd /var/chroot-smtp/etc
2.Type: vi exim.conf                                     (this opens the editor)
3.Type: /tls_require_ciphers                             (by doing so, this string is located)
4.Go to the end of the line and delete “:SSLv3” with the delete key. Do not use the backspace key for this
5.type: /tls_advertise_hosts                             (by doing so, this string is located)
6.Go down one line with the arrow
7.type: i                                                (only press the letter i to edit)
8.type: openssl_options = +no_sslv3 +no_tlsv1_2
9.Type: <escape key> :wq                                 (this saves the new content)
10./var/mdw/scripts/smtp restart

For version 9.301, 9.302, 9.303
1.Type: cd /var/chroot-smtp/etc
2.Type: vi exim.conf                                     (this opens the editor)
3.type: /tls_advertise_hosts                             (by doing so, this string is located)
4.Go down one line with the arrow. If openssl_options allready exists, this has to be modified. If it doesn't exist, it has to be created.
5.type: i                                                (only press the letter i to edit)
6.type: openssl_options = +no_sslv3 +no_tlsv1_2
7.Type: <escape key> :wq                                 (this saves the new content)
8./var/mdw/scripts/smtp restart



2day Technik 4 Events