SMTP Authentication (Sophos as smtp relay to internal Exchange server)

Hi,

 

we have Sophos as SMTP relay to our internal Exchange server. SMTP authentication is not yet enabled on the Exchange.

So the Sophos will relay the emails to the Exchange.

Right now is possible to send emails using SMTP port (25) from one or our domain's user accounts to any another of our domain's user accounts without authentication. Which is, of course to me, a very big security vulnerability. (I tested it with telnet from outside of our networks... like if I were an attacker).

 

So the questions are:

 

1) Right now (when SMTP authentication is not enabled in the Exchange server),  is there a way to stop that behavior?

 

2) Once we enable SMTP authentication in the Exchange server, the sophos will still be whitelisted as the Exchange server needs to "rely" on the Sophos. How can we stop that behavior then?

 

 

  • Hi The Bee,

    just create a receive connector for the UTM which receives SMTP without authentication on your exchange server.

    Configure the other receive connector(s) following your needs with authentication.

    And finaly take a look into the concept of receive connectors within exchange. Example

    I think that should give you the right direction.

    Best

    Alex

  • Hi The Bee,

    you should create a public SPF record for your domain and enable Perform SPF check in Antispam settings at your UTM.

    Regards

    mod

  • In reply to Alexander Busch:

    Hi Alex and mod,

     

    thanks for the reply!.

     

    The question will be if the Sophos will be Authenticating any client that reaches the SMTP proxy? 

     

    Because I guess it there's is a connection between the Sophos and the Exchange server that doesn't require SMTP AUTH (which I expect, if not no emails could be transferred through port 25...) wouldn't also all emails from any client on port 25 pass without SMTP Auth?

     

     

     

     

  • In reply to The Bee:

    I think I'm confused.  If the only thing that can relay inbound emails to your mail server is the UTM, then you don't need to worry about auth in Exchange.  You don't want to allow users to authenticate to the SMTP Proxy - only allow the mail server to relay off of it.  Your Exchange and AD servers should be authenticating users that want to relay mail off the Exchange server.  Have I misunderstood your situation?

    Cheers - Bob

  • In reply to BAlfson:

    Hi Bob,

     

     

    BAlfson
    You don't want to allow users to authenticate to the SMTP Proxy - only allow the mail server to relay off of it.

     

     

    How can I do that? how can I tell the sophos to deny access to users trying to send emails through port 25 (or better to Authenticate them first) while letting actual email servers to reach the sophos?

     

    What we have now is internet <-> Sophos <-> Exchange. 

     

    Regards.

  • The Bee

    Right now is possible to send emails using SMTP port (25) from one or our domain's user accounts to any another of our domain's user accounts without authentication. Which is, of course to me, a very big security vulnerability. (I tested it with telnet from outside of our networks... like if I were an attacker).

    Please read my post about SPF! This is one possible way that you can use!

    https://en.wikipedia.org/wiki/Sender_Policy_Framework

     

    Regards

    mod

  • In reply to mod2402:

    Most mail servers will accept mail on port 25. How else would I be able to send mail to one of your users?

    Telneting to a mail server and entering a valid user with data etc and a mail from will result in the mail server accepting the mail (either from your domain user or a complete stranger)

    Are you getting this mixed up with an open relay?

  • In reply to Louis-M:

    Hi Louis,

    if you setup a SPF txt record in public dns for your own domain and setup your utm to check SPF records, no one can send an email from an external source with a sender address from your own mail domain. In SPF is defined which sender addresses are allowed to send mails for this mail domain.

    regards

    mod

  • In reply to mod2402:

    Hi Mod,

    yes I'm familiar with SPF, DKIM & DMARC etc. However, I think this thread has some crossed wires here.

    The OP states that he can send mail on port 25 from outside to any of his users. I'd be surprised if he couldn't. Without further detail, my guess is the OP has telneted to his mail server, entered a valid recipient, the data and from a sender and the mail server has accepted this (as you would expect it to)

    The above is not the same as "relaying" mail for the OP's domain. The mail server is simply accepting mail for a valid recipient by the sound of it.

    Now, if the OP turned around and said that he could send mail VIA his mail server to another user outside of his domain (without authentication or other restrictions), then that is entirely a different matter as an open relay he would have.

    But it's no big shock to be able to telnet to a mail server and send an email to a valid recipient.

  • In reply to mod2402:

    Hi Mod,

     

    thanks for you reply.

     

    I already read it, but SPF doesn't do it because it will tell from which servers/ips/etc an email from certain domain should be received. But if I'm using that same host... I can do it.

    Also we already have SPF configured for some domains... and I'm still able to use SMTP as a client to send emails.

  • In reply to Louis-M:

    Hi Louis-M,

     

    Louis-M
    But it's no big shock to be able to telnet to a mail server and send an email to a valid recipient.

     

     

    so it is considered "normal" to being able to do that? because for me that's a big security issue that might lead to phishing or so... being able to send emails on behalf of another person? attacked could do that and tell "please reply to this other email account" or maybe attach malware/virus/etc?

     

    Also, in my case, I'm not only able to use valid recipients/sender, but also invalid/non-existent recipients and/or senders.

  • In reply to The Bee:

    The Bee

    I already read it, but SPF doesn't do it because it will tell from which servers/ips/etc an email from certain domain should be received. But if I'm using that same host... I can do it.

    Also we already have SPF configured for some domains... and I'm still able to use SMTP as a client to send emails.

    Sorry I don't understand your problem. Do you want to control the sender addresses outside your own trusted mail domains?

    The Bee

    Right now is possible to send emails using SMTP port (25) from one or our domain's user accounts to any another of our domain's user accounts without authentication. Which is, of course to me, a very big security vulnerability. (I tested it with telnet from outside of our networks... like if I were an attacker).

    This is solved with a correct configured SPF record!

    Do you have "Perform SPF check" under "Advanced anti-spam features" enabled?

  • In reply to Louis-M:

    Hi @all,

    please remember, OP is an Exchange admin!

     

    Louis-M

    But it's no big shock to be able to telnet to a mail server and send an email to a valid recipient.

     

    If my only emailaddress is test@example.com and example.com is hosted on my exchange, and I'm in the Internal network of my utm,  mail from: test@example.com  -> rcpt-to:  community@sophos.com will work.

    But if I choose to use mail from: mod42@example.com -> rcpt-to:  community@sophos.com , that will wirk too and that could be for Exchange Admins a big shock, because they expect that I can only send emails from my only emailaddress test@example.com but not form mod42@example.com.

    I think/guess thats the issue what the OP mean with SMTP Authentication.

     

    Otherwise it's like Louis-M and BAlfson said:

    If you want to try to prevent that someone from the internet uses your emiladomain example.com as a senderaddress, please use SPF / DIKM.

    If you need guideance for configuring SMTP Proxy , please use the link from BAlfson's post.

     

    Greetings

     

  • In reply to PeterRenchen:

    There is still a bit of a mix up going on here. Let's forget about the UTM for a minute and deal purely with exchange. From the internet, people can telnet to the exchange server, add a valid recipient, data and a message from.

    Exchange will accept that because if it didn't, how would you receive email for that recipient. We are mixing up receiving email and being able to send email from the exchange server here. Now depending on the way the exchange server is setup, it may try TLS first, a reverse lookup etc but in general, it will accept mail for a valid user. If the user doesn't exist, it will not accept the mail returning "invalid recipient". This will be the receive connector working here.

    On the inside of the exchange server network, if the user can send mail from a client without authentication, there's a good change the exchange has a send connector based on IP authentication and the inside subnet is included. That's worth checking out as only certain hosts required should be allowed that.

    Now, if you have a user outside who can connect to the exchange server, send email to a recipient outside of the organization without authentication, you have a problem. That is what is known as an open relay and it won't take long for others to find it. You may even find yourself quickly blacklisted if that is the case.

    This post is getting mixed up between receive and send connectors, authentication and relaying regardless of SPF, DKIM & DMARC etc.