This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

End point anti-virus email alerts - SMTP Authentication

Hey guys,

I'm being told from my hosting provider that there is no way to get our Sophos virus killer to use SMTP authentication to send virus alerts.  They are insisting that we install an SMTP server into our web-server group, which I am not happy to do.

While I wouldn't want to question my hosting provider, and I appreciate there are ways around this with firewalls etc, I am stunned that Sophos would promote spam in such a way as to demand an SMTP server which is not completely locked down with SMTP auth be avaliable.

Is there any way to enable this feature?  Or do I have to bite the bullet and make an SMTP server without auth avaliable?

Many Thanks,

CH.

:22699


This thread was automatically locked due to age.
  • HI,

    Not sure about the client (not seen anything to say you can/can't) but SEC can be configured to use secure SMTP:

    http://www.sophos.com/support/knowledgebase/article/113780.html

    not tried it but you could give it a go if useful.

    Regards,

    Jak

    :22707
  • Hello CH,

    as Jak has said, SEC now supports authentication (still with a hack, but soon to be configurable) for alerts sent by the management server, one set of credentials, no bells and whistles. 

    The lack of SMTP authentication does not promote SPAM. It can help with relaying - but when used for this purpose  it is: "authenticated may send everywhere, unauthenticated only IN". Normally you can "lock down" only inside SMTPs - and if you are worried about potential SPAM from the inside ... well, AUTH is not the most powerful means to tackle this. It might seem simple to add this feature - adding authentication means adding support for "secure" protocols as well though. 

    In short: 
    Sounds like your provider has some knowledge
    AUTH might come but not anytime soon
    An IUO SMTP (perhaps with a restricted set of recipients) will not promote SPAM

    Christain
    :22717
  • Hey guys,

    Thanks for the pointer Jak,  I'll see if I can play around with that hack and if it works with the client, but from QC's response I have a feeling the answer is going to be a no - it's good to know they are going in the right direction though.

    QC: "The lack of SMTP authentication does not promote SPAM. It can help with relaying "

    Ok, maybe promote was a bit strong, but that is entirely a matter of opinion.

    I personally see that an HTTP client without HTTPS support aids HTTP hijacking, FTP without FTPS (or sFTP) support aids....well....FTP and all of its associated issues and an SMTP client without the full suite of security that SMTP offers aids spammers.  By not supporting SMTP fully Sophos are forcing people to not fully lock down their SMTP host and for us, being PCI compliant, that means we can't use Sophos email alerts in our card data environment as this isn't a good enough business requirement to deploy an open email server, which means down the line when we deploy more servers this puts an end to our use of Sophos.

    To quickly address the one point of my provider: Yes, my provider has a lot of knowlage - I wasn't being sarcastic when I said I didn't want to question them as I see them as the best out there - I was hoping there was some hackduggery (as Jak kindly pointed me to) I could point them to that they may not have known about.  On that note though, it's worth pointing out they don't support Sophos in their high end package - but unfortunatly we are a startup so we can't go there right away.

    :22719
  • Hi,

    Just for fun I tested this:

    1. Download DeleGate: http://www.delegate.org .
    2. Run: 
      win32-dg.exe -Plocalhost:25 SERVER=smtp://smtp.gmail.com:587 STLS=fsv ADMIN=a@b.com MYAUTH=[gmailaddress]:[pass]:smtp
    3. Configure the SAV policy to point to 127.0.0.1 for email alerting.

    Seems to work, not really suggesting it but it's nice to fiddle :)

    Regards,

    Jak

    :22721
  • Hello CH,

    the question I did not ask before is, why is email alerting important?
    Apart from this I must be missing something here. But maybe I have an incorrect concept of your network and setup in mind. An S (or s, be it a prefix, suffix or attached with some special character) does not necessarily mean more security. V.v. supporting unsecured protocols is not necessarily an increased risk.
    Auditors - OTOH - are ;-). We've laxed one rule because the auditors (from a reputable, big, global company) could not be convinced that they (and/or their software) got the relational operator wrong for one of the security parameters they were checking. After three years we gave up and set it so the sw no longer complained.

    Still I don't get it how the different requirements are weighed in and how the pros, cons and risks are assessed. How strict is the security on the clients, for example?

    Christian
    :22723
  • Hi Jak,

    That's not a bad idea at all.....I mean on one hand you could argue that it isn't THAT different from SSH in principal......If it becomes unmanageable in the future without direct notifications before we get to the point we can transfer into the top grade hosting I'll give it a try - thanks man, you've been a great help.

    QC:

    We don't have access to the management console as it's hosted virus scaning, we have a less-than-convinient web panel we have to use so e-mail gives me instant notification that something is a-miss, and....because I wants it :D

    PCI is pretty explicit about the layout of our network - although I don't have the spec on me on a Sunday (all 70 pages of spec and 50 pages of SAQ are happily making my life a misery on my desk at work - my partner would make my life misery if I brought it home) - but here is the jist of it:

    Our network must be split into internal and DMZ - the internal network is where the card data is held, and cannot for any reason talk to the public internet or have its IP addresses exposed to the outside (IE no direct access to the web, if required it must be through NAT or Proxy).

    Any communication between the DMZ and internal network must be authenticated.

    All services must be secure (and they give a few examples to suggest their definition of secure is encrypted - I do agree that this definition is a bit weak and encrypted != secure)

    Any unsecure services must have business justification.

    I'd also agree with the comment about auditors - fortunatly we are a startup so until we run over a million transactions through our system we can self-asses and I can make my own judgement calls over what the PCI consultant told me.  Unfortunatly though that means my signature is on the self-assessment so my ass is on the line if we get broken into.

    :22725
  • I suppose another option on the client is to use the event log as a trigger for your own alerts (Eventtriggers.exe ?), maybe some agent on the client that performs the "client" as far as SMTP goes that can react to the event log.  With the new event logs you can attach tasks quite easily so could be worth looking into. On event id, call script to call a mail exe, I'm sure there are plenty of lite-weight mail clients.

    Cheers,

    Jak

    :22727
  • Ah! Jak my friend you are a genius.

    How did I miss that it would end up in the event log?  We have an IDS and log collector which will end up on a big health monitor here in the office.  I can just add a search for any event from the AV and pop up a big red warning (with sirens and alarm bells or something.)

    Thank you :)

    :22749
  • Hello CH,

    it's hosted virus scaning

    well, in this case they should provide alerting too - but that's just MHO :smileyhappy:. If you can use a "wrapper" like DeleGate, fine. 

    Any communication between the DMZ and internal network must be authenticated

    That's what I thought (and therefore my question about topology), won't argue here :smileywink:. 

    Sophos isn't dogmatic but it's the same for them - business justification . Submitting a feature request through Support does not guarantee you will get it (whether soor or ever) but it's better than just sit and wait. 

    Christian

    :22751
  • Auditors

    Incidentally this Techknow podcast bears some relation ...

    Christian

    :22757