Sophos recently launched a Update for UTM 9.5 released. With the update, the e-mail protection algorithms for signing e-mails using S/MIME have also been adapted:
S/MIME Encryption updates: This release brings changes to the S/MIME feature to fully conform with new GDPR regulatory requirements for encryption. Core to these changes are new algorithms to perform encryption and signatures within S/MIME. Due to the changes in the signature algorithms, older implementations of S/MIME – including previous Sophos UTM releases – can no longer verify signatures produced with the new algorithms. Encryption and decryption of emails is not affected by this change. For details, please read the following KBA at https://community.sophos.com/kb/en-us/131727.
Source: UTM Up2Date Release notes
Currently, however, there seem to be more frequent problems when UTM Mail Protection signs emails using S/MIME. There is already a thread about this here:
I have also been able to reproduce the problem, my UTM signs outgoing mails using a valid SMIME certificate:
For certain recipients, however, the delivery of signed mails fails. In my case, the mail server returned this error code:
550 5.7.1 The digital signature of the mail is invalid
As soon as an exception is configured, the mail goes through cleanly:
Even if the mail is accepted by the target mail server, the SMIME signature cannot be checked, here Outlook as an example:
There is no update from Sophos yet. So far, you can only disable the signing of mails on the UTM:
Not a nice solution, but what can you do when the NDRs keep coming back?
Update 23.03.2018:
In the meantime, the KB entry has been updated by Sophos and there is a workaround. The previous algorithms can be reactivated via the shell:
sudo su –
cc set smtp encryption_utility smime
This means that the validation of the signature with other programs and gateways works again. The new algorithms can be reactivated with the following command:
cc set smtp encryption_utility cms