mxtoolbox "may be an open relay"

Did anyone find a solution? I get the same result on my PCI Compliance test and is there a way to disable the clear text authentication method on the SMTP proxy for unencrypted (non-SSL/TLS) sessions.

G.

mxtoolbox didnt have the reason why is droped, thats why

Dino, what happens if you put *.* in 'Require TLS Negotiation Sender Domains' on the 'Advanced' tab of 'SMTP'?  That should prevent any unencrypted SMTP connections.

UPDATE 2017-04-25: This trick doesn't work.

In any case, if you don't allow relaying except from your internal mail server, you have zero exposure.  Your PCI compliance tester should know that his tool can provide non-negatives that are not positives.  After they're done, ask to see the notes that they have kept for the next scan.  If they hadn't kept any, find a different provider.

Cheers - Bob

I don't recommend requiring TLS for SMTP connections.   You will probably miss traffic that you want.    

In order to determine if this was something safe to implement, you would need:

• A reporting mechanism to tell you which of your non-blocked incoming mail came by HTTP instead of HTTPS
• What certificate integrity rules will be enforced if this feature is enabled
• Whether the correspondents in your mail log had qualifying certificate chains
• After implementation, how you would parse logs to identify sites that need an exception, and
• How that exception would be configured 

UTM comes up lacking on both the documentation and the reporting requirements.

"I don't recommend requiring TLS for SMTP connections.

• "A reporting mechanism to tell you which of your non-blocked incoming mail came by HTTP instead of HTTPS"

Does anyone know how to enable this in exim?

Cheers - Bob

I had to search the forum to infer that "exim" is the UTM mail subsystem.  

If there are known ways to query the mail engine from something other than the UTM user interface, I would love to see a "getting started guide" for doing so.  The UTM user interface is an obstacle to doing any type of global mail analysis.

At present our UTM mail manager sits behind a Barracuda email filter.   I have been presently surprised at UTM's ability to detect spam that Barracuda allows through, and I have not yet had any false positives.

Despite this good experience, I have not been willing to make UTM my only email filter because it does not filter on Reverse DNS of the sending server, and because of the weak management interface.  I would be willing to develop a custom reporting tool if I had enough information to get started.

Hey Bob, your suggestion did not really do anything. The problem I have is that the email protection SMTP server or proxy is using an unencrypted channel for the transmission of data. What I am trying to do is drop the connection on port 25 when telnet is used. I believe the Sophos UTM is blocking with a 550 Relay not permitted but is this the correct approach or am I missing something here?

Doug, you said, "it does not filter on Reverse DNS of the sending server."  What does the barracuda do that the UTM doesn't?

Cheers - Bob