My question is based around the fact that most mail systems use either 465 or 587 for outgoing mail? The proxy only listens on port 25.
The pop proxy is no better it listens on 110 where as most systems use 143, 993.
So to those in the know are there any plans to upgrade the proxy so that it will work with other mail protocols?
Ian
Some UTM functions are to protect the desktop clients on your network from hostile servers on the internet, while others are intended to protect the servers on your network from hostile devices on the internet.
It appears that you are thinking of the SMTP proxy as a device to protect the connection between Outlook on your PC from your mail server. The POP3 proxy plays that role, you can think of it as a second line of defense in case your mail server is successfully attacked. However, the SMTP proxy is intended to protect a mail server from incoming messages sent by a hostile server on the internet.
You are right that your mail program uses ports 25, 465, or 587 to send messages to the mail server. That traffic is trusted because you have to log in to send messages (or you need a special exemption based on your IP).
Mail servers also transmit to other servers using port 25 as the target. The remote server does not authenticate and is not trusted, but it is allowed to send messages to the accounts on the mail server. The UTM SMTP proxy intercepts that traffic to reduce the risk that a hostile message will be accepted.
If your mail does not flow into your UTM before flowing into your mail server, then the SMTP proxy is not intended for your situation.
Hope this helps.
Hi Douglas,
yes and no. If you take the XG it can scan imap/s, pop/s, smtp/s as part of a business rule but not 587. The MTA well I haven't succeed in getting it to work yet. So my query is about bringing the UTM mail scanning up to XG standard. Yes, the UTM has features in mail handling that the XG does not.
Not all business that use the uTM have an onsite mail server and in a lot of cases rely on their ISP to provide mail server functions. Now for security purposes most businesses will have moved away from ports 25 and 110. Also POP mail does not allow the user to maintain a copy on the server if something goes wrong at the user end whereas imap does.
So, the way the UTM is provided at the moment is not good for small business or home use for mail security. Small business is why mac security is really needed....
Ian
XG115W - v20 GA - Home
XG on VM 8 - v20 GA
If a post solves your question please use the 'Verify Answer' button.
Multiple layers of defense are always a good idea.
Your primary mail defense needs to be a spam filter for mail coming inbound from the internet on port 25 to your mail server. This intercepts mail that arrives on unauthenticated sessions. This is the role that UTM Spam Filter is designed to play.
If you mail server is hosted by a third party, it is the third party's responsibility to provide an effective spam filter. (Office 365 is an exception, they provide instructions for providing your own spam filter.) If your hosting service cannot provide good spam filtering, you should pursue an alternate hosting service. Of course, this becomes painful if you are using the vendor's email domain instead of one that you own.
Filtering traffic between the mail client and the mail server become a second line of defense. There are an abundance of protocols between clients and servers, including at least: IMAP+SMTP, POP+SMTP, MAPI (Outlook to Exchange), ActiveSync (Cell phone to Exchange), EWS (Outlook to Office 365), and Outook to Hotmail (name unknown). Some of these have encrypted and unencrypted variants, as you indicated. In this context, UTM can only filter traffic from the mail server to the client when the connection uses POP3, encrypted or unencrypted. POP3 is an unattractive solution for multiple reasons, and is falling out of use.
Hey Ian!
I'm fairly certain that the UTM's SMTP Proxy also listens on 465 and 587 - what evidence did you see that it does not?
Port 25 connections are just as secure as 587 since both use STARTTLS for encrypted communications. Port 465 with immediate TLS negotiation was the only TLS solution before STARTTLS and I think it's primarily older MTAs that send using SMTPS.
I'm less familiar with POP3.
Cheers - Bob
Hi Bob,
basically there is no evidence because the outgoing mail does not appear in the UTM mail logs.
To test the theory further I will need to create a temporary drop filter on 465 and 587.
Regards
Ian
XG115W - v20 GA - Home
XG on VM 8 - v20 GA
If a post solves your question please use the 'Verify Answer' button.
Thank you, I am aware that 465 was an interim port, but seems to be in wide use for local traffic, but 587 is recommend for when you travel.
The XG uses 465 not 587 as part of its mail security. Of to try some more settings.
Ian
XG115W - v20 GA - Home
XG on VM 8 - v20 GA
If a post solves your question please use the 'Verify Answer' button.
Just for you
Turning off and on Email Protection
Here the live log:
Hi,
I am running the email proxy in transparent mode and it does not pickup 465 or 587. When using those ports the connections fail.
Ian
Edited: I do see those entries in the smtp log, but I do not see any sent messages. The entries to me look very much like the proxy is listening the external interface with those ports, but not the internal one. I had to disable TLS on 587 before I could send any email with that configuration.
XG115W - v20 GA - Home
XG on VM 8 - v20 GA
If a post solves your question please use the 'Verify Answer' button.
