This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SMTP Authentication (Sophos as smtp relay to internal Exchange server)

Hi,

 

we have Sophos as SMTP relay to our internal Exchange server. SMTP authentication is not yet enabled on the Exchange.

So the Sophos will relay the emails to the Exchange.

Right now is possible to send emails using SMTP port (25) from one or our domain's user accounts to any another of our domain's user accounts without authentication. Which is, of course to me, a very big security vulnerability. (I tested it with telnet from outside of our networks... like if I were an attacker).

 

So the questions are:

 

1) Right now (when SMTP authentication is not enabled in the Exchange server),  is there a way to stop that behavior?

 

2) Once we enable SMTP authentication in the Exchange server, the sophos will still be whitelisted as the Exchange server needs to "rely" on the Sophos. How can we stop that behavior then?

 

 



This thread was automatically locked due to age.
Parents
  • Hi The Bee,

    just create a receive connector for the UTM which receives SMTP without authentication on your exchange server.

    Configure the other receive connector(s) following your needs with authentication.

    And finaly take a look into the concept of receive connectors within exchange. Example

    I think that should give you the right direction.

    Best

    Alex

    -

  • Hi Alex and mod,

     

    thanks for the reply!.

     

    The question will be if the Sophos will be Authenticating any client that reaches the SMTP proxy? 

     

    Because I guess it there's is a connection between the Sophos and the Exchange server that doesn't require SMTP AUTH (which I expect, if not no emails could be transferred through port 25...) wouldn't also all emails from any client on port 25 pass without SMTP Auth?

     

     

     

     

Reply
  • Hi Alex and mod,

     

    thanks for the reply!.

     

    The question will be if the Sophos will be Authenticating any client that reaches the SMTP proxy? 

     

    Because I guess it there's is a connection between the Sophos and the Exchange server that doesn't require SMTP AUTH (which I expect, if not no emails could be transferred through port 25...) wouldn't also all emails from any client on port 25 pass without SMTP Auth?

     

     

     

     

Children
  • I think I'm confused.  If the only thing that can relay inbound emails to your mail server is the UTM, then you don't need to worry about auth in Exchange.  You don't want to allow users to authenticate to the SMTP Proxy - only allow the mail server to relay off of it.  Your Exchange and AD servers should be authenticating users that want to relay mail off the Exchange server.  Have I misunderstood your situation?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

     

     

    BAlfson said:
    You don't want to allow users to authenticate to the SMTP Proxy - only allow the mail server to relay off of it.

     

     

    How can I do that? how can I tell the sophos to deny access to users trying to send emails through port 25 (or better to Authenticate them first) while letting actual email servers to reach the sophos?

     

    What we have now is internet <-> Sophos <-> Exchange. 

     

    Regards.

  •  
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA