Configuring Incoming SSL Inspection for email

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Configuring Incoming SSL Inspection for email

L1 Bithead

So, We have an on-premise Exchange server that is inside our firewall, so incoming and outgoing external email goes throught the firewall. We are having issues with file blocking on emails. We do have SSL inspection set on the traffic from outside to inside for email, but right now it is set to Forward Proxy and we receive no errors, the email is delivered. BUT, file blocking does not work.

 

PA Support is telling me to configure inbound inspection. When I do that, I get decrypt-error and the email is not delivered. We have a wildcard certificate from GoDaddy that we use for everything. That is the certificate that I set when I set inbound inspection and it is the certificate on the email server. But since the firewall is showing decrypt-error, I don't think it is ever getting to the email server.

 

How do I determine what is causing the decrypt-error (and hopefully fix it).

Thank in advance,

Chris

8 REPLIES 8

L4 Transporter

Hello @CCummings 

 

Based on your description, the current setting is 'forward-proxy', which is to decrypt the outbound traffic.

With that setting, do you see any traffic getting decrypted? I guess you have applied this to the traffic from your mail server to external parties.

For the inbound traffic (to the mail server), you need to make sure all the required certificates (cert-chain) are added to the Firewall.

Taking debug logs from Firewall will be able to give a better understanding of what is causing the failure.

 

Anoopkumar
Network Security Engineer

So, no, It is set to SSL Inbound Inspection (It WAS forward proxy, but I changed that). Now, I get "Private key does not match public key". Nothing on the firewall is telling me that there's anything wrong with my certificate. I've attached a screen shot of my cert page, decrypt profile and decrypt policy options. I've been searching for a solution, but to no avail.

Thanks in advance,

Chris

L4 Transporter

Hello @CCummings 

"

"Private key does not match public key" indicates a certificate issue. The traffic arriving at the firewall, encrypted with the public key, cannot be decrypted by the firewall using the certificate with the private key.

Please ensure you have uploaded the correct certificates.

Anoopkumar
Network Security Engineer

So, yes. It's the certificate from GoDaddy. I have the bundle certificate loaded as well. So, the CA Cert is there as well as our cert. Please see attached. I included the GoDaddy File names as well as the certificate page from the FW. I'm sorry I'm not as up on certificates and their parts and functions as I would like to be. I thank you for your assistance.

L4 Transporter

Hello @CCummings 

 

When I accessed the URL (shown in the CN screenshot), I noticed that the certificate was issued by ISRG Root X1 (attached).

However, on the firewall, you are using a GoDaddy certificate.

You might want to perform a packet capture on the original URL to confirm which certificate is being used during the SSL handshake.CertCert

Anoopkumar
Network Security Engineer

That is our website. It is hosted at a different company and they provide the certificate for that. Our mail server is at mail.muskogeeonline.org and we use a wildcard cert *.muskogeeonline.org for it and our firewall and everything else that is hosted on premise.

So, when I follow the instructions and export the certificate from our email server to import into the firewall, I get a duplicate certificate error since they both use the same cert. Do I need to use a self-signed certificate on the mail server and export that to the firewall?

L4 Transporter

Hello @CCummings 

You need to use the exact certificate that is currently used on the server.

Currently, I'm uncertain about the specific issue with the certificate. Running an SSL debug may provide more insights.

I would suggest opening a TAC case to further troubleshoot the issue. Without additional logs, I'm unable to make specific suggestions.

 

 

Anoopkumar
Network Security Engineer

Thanks for your insights. I do have a TAC case opened and they are so far not very helpful. I'm taking the troubleshooting class next week and maybe that will help me pinpoint the problem. It's using the exact same cert on the firewall and the mail server (Godaddy wildcard cert), so not sure.

Again, thank you for your help with this. 

  • 1680 Views
  • 8 replies
  • 0 Likes
  • 101 Subscriptions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!