topic Re: Configuring Incoming SSL Inspection for email in General Topics

Configuring Incoming SSL Inspection for email

CCummings — Thu, 12 Oct 2023 00:26:30 GMT

So, We have an on-premise Exchange server that is inside our firewall, so incoming and outgoing external email goes throught the firewall. We are having issues with file blocking on emails. We do have SSL inspection set on the traffic from outside to inside for email, but right now it is set to Forward Proxy and we receive no errors, the email is delivered. BUT, file blocking does not work.

PA Support is telling me to configure inbound inspection. When I do that, I get decrypt-error and the email is not delivered. We have a wildcard certificate from GoDaddy that we use for everything. That is the certificate that I set when I set inbound inspection and it is the certificate on the email server. But since the firewall is showing decrypt-error, I don't think it is ever getting to the email server.

How do I determine what is causing the decrypt-error (and hopefully fix it).

Thank in advance,

Chris

Re: Configuring Incoming SSL Inspection for email

akuzhuppilly — Thu, 12 Oct 2023 03:53:50 GMT

Hello @CCummings

Based on your description, the current setting is 'forward-proxy', which is to decrypt the outbound traffic.

With that setting, do you see any traffic getting decrypted? I guess you have applied this to the traffic from your mail server to external parties.

For the inbound traffic (to the mail server), you need to make sure all the required certificates (cert-chain) are added to the Firewall.

Taking debug logs from Firewall will be able to give a better understanding of what is causing the failure.

Re: Configuring Incoming SSL Inspection for email

CCummings — Fri, 13 Oct 2023 15:50:23 GMT

So, no, It is set to SSL Inbound Inspection (It WAS forward proxy, but I changed that). Now, I get "Private key does not match public key". Nothing on the firewall is telling me that there's anything wrong with my certificate. I've attached a screen shot of my cert page, decrypt profile and decrypt policy options. I've been searching for a solution, but to no avail.

Thanks in advance,

Chris

Re: Configuring Incoming SSL Inspection for email

akuzhuppilly — Mon, 16 Oct 2023 03:58:57 GMT

Hello @CCummings

"Private key does not match public key" indicates a certificate issue. The traffic arriving at the firewall, encrypted with the public key, cannot be decrypted by the firewall using the certificate with the private key.

Please ensure you have uploaded the correct certificates.

Re: Configuring Incoming SSL Inspection for email

CCummings — Mon, 16 Oct 2023 20:06:02 GMT

So, yes. It's the certificate from GoDaddy. I have the bundle certificate loaded as well. So, the CA Cert is there as well as our cert. Please see attached. I included the GoDaddy File names as well as the certificate page from the FW. I'm sorry I'm not as up on certificates and their parts and functions as I would like to be. I thank you for your assistance.

Re: Configuring Incoming SSL Inspection for email

akuzhuppilly — Tue, 17 Oct 2023 02:15:53 GMT

Hello @CCummings

When I accessed the URL (shown in the CN screenshot), I noticed that the certificate was issued by ISRG Root X1 (attached).

However, on the firewall, you are using a GoDaddy certificate.

You might want to perform a packet capture on the original URL to confirm which certificate is being used during the SSL handshake.Cert

Re: Configuring Incoming SSL Inspection for email

CCummings — Wed, 18 Oct 2023 14:06:17 GMT

That is our website. It is hosted at a different company and they provide the certificate for that. Our mail server is at mail.muskogeeonline.org and we use a wildcard cert *.muskogeeonline.org for it and our firewall and everything else that is hosted on premise.

So, when I follow the instructions and export the certificate from our email server to import into the firewall, I get a duplicate certificate error since they both use the same cert. Do I need to use a self-signed certificate on the mail server and export that to the firewall?

Re: Configuring Incoming SSL Inspection for email

akuzhuppilly — Fri, 20 Oct 2023 09:54:12 GMT

Hello @CCummings

You need to use the exact certificate that is currently used on the server.

Currently, I'm uncertain about the specific issue with the certificate. Running an SSL debug may provide more insights.

I would suggest opening a TAC case to further troubleshoot the issue. Without additional logs, I'm unable to make specific suggestions.

Re: Configuring Incoming SSL Inspection for email

CCummings — Fri, 20 Oct 2023 13:52:24 GMT

Thanks for your insights. I do have a TAC case opened and they are so far not very helpful. I'm taking the troubleshooting class next week and maybe that will help me pinpoint the problem. It's using the exact same cert on the firewall and the mail server (Godaddy wildcard cert), so not sure.

Again, thank you for your help with this.