Using TLS connections
You can use Transport Layer Security (TLS) connections for email.
If you have issues with TLS connections, check that TLS is enabled, with the correct version and correct ciphers. If you still have problems, contact Sophos Email Support.
For help with email encryption see Secure message methods.
Note
Make sure TLS 1.3 is enabled on your email gateway before enforcing it on any domains. Otherwise the connection with Sophos breaks and you cannot send or receive email. The ciphers required are 'TLSv1.2+FIPS:kRSA+FIPS:!eNULL:!aNULL'.
TLS failures
If Sophos Email can't make a TLS connection, email isn't sent. Email is queued for redelivery for 7 days. After this it is deleted.
Logging of TLS connection errors
Each time Sophos Email can't send email due to TLS failures it makes an entry in the history log.
After the final failure, an entry saying that the email was deleted because of TLS policy is added to the log. The entries have this format: "Processing: Check TLS"
.
Sophos TLS certificate details
These are the details of the certificate we use with TLS connections.
Parameter | Value |
---|---|
Common Name | *.api-upe.p.hmr.sophos.com |
SANs | DNS:*.api-upe.p.hmr.sophos.com , DNS:*.prod.hydra.sophos.com , DNS:api-upe.p.hmr.sophos.com |
Organization | SOPHOS LIMITED |
Location | C=GB , ST=Oxfordshire , L=Abingdon, |
Serial Number | 42:05:5f:21:c1:9b:e9:f0:e8:8a:bb:0c |
Signature Algorithm | sha256WithRSAEncryption |
Issuer | C=BE , O=GlobalSign nv-sa , CN=GlobalSign RSA OV SSL CA 2018 |
TLS 1.0 and 1.1 end of support
As of January 01, 2024, Transport Layer Security (TLS) 1.0 and 1.1 protocols are no longer supported for inbound and outbound email delivery. See TLS versions 1.0 and 1.1 will be disallowed.
Both TLSv1.0 and TLSv1.1 are vulnerable to security attacks and consequently the use of these versions has been removed from many servers.
Who is impacted
All customers currently using TLS versions 1.0 and 1.1 on their mail servers may experience TLS delivery failure errors if these versions aren't turned off.
What to do
To mitigate risks, you can do the following:
- Make sure that your mail server isn't restricted to TLSv1.0 or TLSv1.1 only.
- Make sure that TLSv1.0 or TLSv1.1 are turned off on your mail server.
-
Use recommended TLS versions, such as TLSv1.2 or TLSv1.3, supported by Sophos Email.
For more information on the recommended TLS versions, see TLS authentication.
Failure to configure your mail server will disrupt email communication.