Is UTM mail proxy still relevant?

Some UTM functions are to protect the desktop clients on your network from hostile servers on the internet, while others are intended to protect the servers on your network from hostile devices on the internet.

It appears that you are thinking of the SMTP proxy as a device to protect the connection between Outlook on your PC from your mail server.   The POP3 proxy plays that role, you can think of it as a second line of defense in case your mail server is successfully attacked.   However, the SMTP proxy is intended to protect a mail server from incoming messages sent by a hostile server on the internet.

You are right that your mail program uses ports 25, 465, or 587 to send messages to the mail server.   That traffic is trusted because you have to log in to send messages (or you need a special exemption based on your IP).   

Mail servers also transmit to other servers using port 25 as the target.  The remote server does not authenticate and is not trusted, but it is allowed to send messages to the accounts on the mail server.    The UTM SMTP proxy intercepts that traffic to reduce the risk that a hostile message will be accepted.

If your mail does not flow into your UTM before flowing into your mail server, then the SMTP proxy is not intended for your situation.   

Hope this helps. 

Hi Douglas,

yes and no. If you take the XG it can scan imap/s, pop/s, smtp/s as part of a business rule but not 587. The MTA well I haven't succeed in getting it to work yet. So my query is about bringing the UTM mail scanning up to XG standard. Yes, the UTM has features in mail handling that the XG does not.

Not all business that use the uTM have an onsite mail server and in a lot of cases rely on their ISP to provide mail server functions. Now for security purposes most businesses will have moved away from ports 25 and 110. Also POP mail does not allow the user to maintain a copy on the server if something goes wrong at the user end whereas imap does.

So, the way the UTM is provided at the moment is not good for small business or home use for mail security. Small business is why mac security is really needed....

Ian

Restating what you said, it is like Web Proxy because:

• Transparent Mode will always silently enable Standard Mode.
  You can have Standard mode without Transparent mode, but you cannot have Transparent Mode without enabling Standard Mode as well.
• Therefore, Firewall Rules apply:
  • When SMTP Proxy is disabled.
  • When Transparent SMTP Proxy is not enabled and the destination address is not UTM
  • When Transparent SMTP Proxy is enabled but the destination address is in the Transparent Host skip list.

If the rest of my analysis is correct, the User Authentication behavior is very different between Standard Mode and Transparent Mode, even if they are enabled with the same checkbox.

I wonder why this was never important to document.

In my opinion, Transparent mode should be used only for testing and debugging.  Otherwise it opens you up to having an infected PC get you on every blacklist in the world.  I don't believe the SMTP Proxy ever sends over anything but 25 unless a smart host is used and then the port can be any.

I examined our UTM's Bandwidth Usage for the last year and found no connections using 587 except my experiments with telnet.  I found four spammers with a total of seven attempts trying to relay port 465 sends off the Proxy, but those attempts were rejected with Relay not permitted.

The conclusion is that modern MTAs all try port 25 first and that they never find an MTA that won't accept that.  Also, they only listen on 465 to maintain compatibility with any ancient MTAs - but there aren't any anymore because all were replaced with systems that can do STARTTLS on port 25.

Cheers - Bob

Interesting.   As my comments implied, I thought 465 and 587 were only used for authenticated SMTP. 

And I thought the original question was about using UTM to filter traffic between a mail client and a mail server, where authentication would be necessary.

User authentication should be to the mail server.  The Proxy should only allow relay from the mail server.  The mail server should only relay off the Proxy and not send "around" the Proxy. TLS should be required with all domains (*.*).  I had to make a TLS exception for cantv.net several years ago - that's probably not necessary anymore.

Cheers - Bob

BAlfson said:

The Proxy should only allow relay from the mail server.

I have to agree with Bob.   

If your mail server is inside your network, it should relay out (Standard Mode) through UTM or similar device, and only that device should be allowed to send port 25 traffic to the Internet.   If you do not have a mail server on the inside, your clients should connect to the remote server on one of the alternate ports for SMTP submission.

Because of the above rules, if your UTM is the perimeter device, as it is for most installations, then it should not allow transparent SMTP mode at all.

There is plenty of malware that turns the infected PC into a spam box, sending spam out port 25.   If you block that traffic, you only have an infected PC.   If you do not block that traffic, you will have an infected PC and a blacklisted IP address for whatever IP is used when the traffic from the infected device is NATted to the Internet.   The blacklist may affect much more than your outgoing mail, because Repuatation Block Lists (RBLs) are used for more than just mail.   Perhaps the upside is that the blacklist will help you know that you have a problem...

Hi folks,

thank you for the in-depth responses. I ran a simple test this morning. I created a packet filter rule which blocked 587, no mail was allowed out. I disabled the rule and mail works again.

Conclusion UTM mail proxy does not proxy port 587.

Ian

I'm pretty certain that it's Country Blocking > DNAT > SMTP Transparent > Firewall Rules, Olsi.  Yes, there's no gain from Transparent, but there is the exposure to an infected PC becoming a spambot.

Cheers - Bob

You are the same. I cant change you

[;)]

[;)]