Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=email-enforced-TLS

Using TLS connections

You can use Transport Layer Security (TLS) connections for email.

If you have issues with TLS connections, check that TLS is enabled, with the correct version and correct ciphers. If you still have problems, contact Sophos Email Support.

For help with email encryption see Secure message methods.

Note

Make sure TLS 1.3 is enabled on your email gateway before enforcing it on any domains. Otherwise the connection with Sophos breaks and you cannot send or receive email. The ciphers required are 'TLSv1.2+FIPS:kRSA+FIPS:!eNULL:!aNULL'.

TLS failures

If Sophos Email can't make a TLS connection, email isn't sent. Email is queued for redelivery for 7 days. After this it is deleted.

Logging of TLS connection errors

Each time Sophos Email can't send email due to TLS failures it makes an entry in the history log.

After the final failure, an entry saying that the email was deleted because of TLS policy is added to the log. The entries have this format: "Processing: Check TLS".

Sophos TLS certificate details

These are the details of the certificate we use with TLS connections.

Parameter Value
Common Name *.api-upe.p.hmr.sophos.com
SANs DNS:*.api-upe.p.hmr.sophos.com, DNS:*.prod.hydra.sophos.com, DNS:api-upe.p.hmr.sophos.com
Organization SOPHOS LIMITED
Location C=GB, ST=Oxfordshire, L=Abingdon,
Serial Number 42:05:5f:21:c1:9b:e9:f0:e8:8a:bb:0c
Signature Algorithm sha256WithRSAEncryption
Issuer C=BE, O=GlobalSign nv-sa, CN=GlobalSign RSA OV SSL CA 2018

TLS 1.0 and 1.1 end of support

As of January 01, 2024, Transport Layer Security (TLS) 1.0 and 1.1 protocols are no longer supported for inbound and outbound email delivery. See TLS versions 1.0 and 1.1 will be disallowed.

Both TLSv1.0 and TLSv1.1 are vulnerable to security attacks and consequently the use of these versions has been removed from many servers.

Who is impacted

All customers currently using TLS versions 1.0 and 1.1 on their mail servers may experience TLS delivery failure errors if these versions aren't turned off.

What to do

To mitigate risks, you can do the following:

  • Make sure that your mail server isn't restricted to TLSv1.0 or TLSv1.1 only.
  • Make sure that TLSv1.0 or TLSv1.1 are turned off on your mail server.

  • Use recommended TLS versions, such as TLSv1.2 or TLSv1.3, supported by Sophos Email.

    For more information on the recommended TLS versions, see TLS authentication.

Failure to configure your mail server will disrupt email communication.