This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

smtp auth; who ,how, why and when?

Hello,

Using exchange 2010

2x Rx connectors

  • internal network
  • gateway, anonymous permissions only.

All users use Outlook, some users work from home, most users have email on their phones. Occasionally I use OWA from the outside world.

UTM SGxxx, configured for smtp proxy, no ISP smart host

There is one website with a user enquiry form.

I have no test environment so I am loath to poke around too much. 

Questions:

Does exchange need the UTM nominated as a smart host and Why?

Does the UTM need to accept smtp auth from the internet for the outlook services described above?

  • if No? how do I turn it off (this question arises due to around 7 regular "Too many failed logins from xxx for facility smtp, blocked for 24hrs") but still allow the website enquiry form to pass.

Cheers

 



This thread was automatically locked due to age.
  • Hi Simon and welcome to the UTM Community!

    Rather than respond directly to your questions now, please work through Basic Exchange setup with SMTP Proxy and then come back here for help.

    For the WAF configuration, start with Sophos UTM Web Application Firewall with Exchange 2013 and Web Application Firewall for Exchange 2016.  The 2016 version is better written, so I would try that one before the 2013 version.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Authentication it is not needed for users. The purpose of it is: A user configured in UTM can Relay directly emails (send) skipping Exchange. But that it is not allowed by most company policy.

    You can put UTM as "send connector" in Exchange (smart host) and UTM will handle the email

  • The UTM is currently the smart host for exchange, super!

    The UTM is mostly configured as per Bob's setup post.

    My preference is to make the UTM do most of the work and leave exchange relatively normal.

    However, I do not understand why an external party/server would even be permitted to begin an smtp authentication, this seems wasteful and inelegant.

    • is this normal because the authentication will always fail. (and how do I have confidence this is true)
      • Is this handshake processing overhead better placed into another function of the UTM?
    • should the dubious IP address be entered somewhere to drop it at the firewall (or send it to a blackhole)?

    To prevent authentication attempts (presuming this is best practice to mitigate the smtp password guessing attacks) should "allow upstream/relay hosts only" be checked but have no listed entries, or does the check box imply a blanket function for the UTM?

    Cheers

  • Please show a picture of the section of the 'Relaying' tab that includes 'Authenticated Relay' and 'Host-based Relay'.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • What is the purpose of allowing "qcds-office" to relay off the Proxy?  That's the source of your error messages.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Authentication is not a handshake with other external hosts like hotmail or gmail, but like i said users only can send emails directly from UTM (no need to logon to exchange). In this case you should disable the Authentication

    In Relaying Tab:

    1) Disable

    "Allow authenticated relaying"

    2) In "Allowed Hosts/Networks"  should be only Exchange Ip

    In exchange configure a "send connector" with UTM Internal IP x.x.x.x.  (not host-name or dns name)

    In this way you eliminate DNS Problems or some other failures in exchange. The Email will be handled by UTM where you can see more detailed logs in case of failure. You can leave Exchange Server without Gateway or DNS configured, and the email will still go out

  • qcds-office is the AD profile for the MFC to permit sending emails and saving to folders. In my view it only needs to send emails to internal users. this was configured by the installer of the SG115. I am loath to poke too hard at this during the business week.

    Exchange has only one send connector pointing to the UTM/gateway configured thus:

    Does the network need 2x Send Connectors? (one to specify Smart Host and one pointing at the UTM/Gateway?)

    However, yes I will make these changes this weekend and hopefully then resolve the MFC email/saving configuration.

  • No, the connector is good

    If qcds-office is a scanner or something else. They have to go through exchange. Not UTM. Only Exchange Server must be there

  • We have a disagreement with Bob about using Standart mode or Transparent mode. But consider my recomandation below  if  Exchange Server is the only one who will send emails to the outside world. And if you said that you want the best from UTM and make it a real Smarthost

    1 Check Transparent Mode

    2 In relaying tab, put only exchange IP

    3 Delete or Disable any firewall rule about SMTP

    4 Delete any DNAT rules about SMTP

    Don't confuse smtp rules with OWA access (https 443 with SMTP 25

    You can still leave the rules active, but they are useless while "Transparent Mode" is enabled, and they will confuse you, not UTM.

    To regulate traffic for one specific host-ip (like scanner or printer) with firewall rules, you have to exclude it from Transparent Mode.

    There you have the option to blacklist a specific host, no need to make firewall rule to drop traffic on smtp traffic for that specific host

    Thats it :)