SMTP Proxy, no internal mailserver, want to use the smtp proxy to scan outgoing mail from different users on gmx.net. how to configure that

Hi, Alex - first I've seen you here - welcome to the UTM Community!

** NOTE 2017-08-20: Ignore this post and read the ones by Douglas Foster, apijnappels and me in the following. **

I'm not familiar with the GMX servers, but if they can use a smarthost to send mail, that would be your best bet.  The SMTP Proxy is not meant to be a mail server, so using the smarthost feature in it won't work.

Rather than using the POP3 Proxy, I would have configured their MX record to point to the UTM and used the SMTP Proxy to process incoming emails.  There's very little gained by using the GMX service to reject spam from blacklisted IPs.

Cheers - Bob

Hello Bob,

we had contact before regarding one of your guides you wrote, but only via message.

i am absolutely no expert in the smtp proxy. so far all my customers only used the pop proxy, which is easy to set up, and also had an exchange server in their network and an email domain of their own and using popcon to get the mails from the mailserver in the internet. only the incoming mails were scanned via the pop proxy for viruses and spam.

this customer has no internal mailserver, and so far no mail domain of their own, instead using a generic gmx address for each worker.

they would like to spam their outgoing mail for spam and viruses too. their outlook so far is using pop to get the mail from the internet mailserver (pop.gmx.net) and use that smtp server (mail.gmx.net) to send emails.

they also have an email domain of their own, but they are not using it yet, which would be no problem though, in case that it would make that easier.

i read up on the smtp proxy and most articles are quite old. you gave the advice to not use the routing tab at all, instead using the smart host entry in the proxy. when i do that, only the mail address of the account that i use to authenticate the smart host works. the other addresses bounce in the smtp proxy log. and if i try that several times, the ip gets blacklisted, which is logical of course. they dont have a fixed ip either, but use dyndns .

is it possible at all, to scan the outgoing email in that constellation? if yes, how would i need to set it up? they would gladly use their own mail domain, if it works that way, and really would like to do that anyways, as it is more professional compared to generic gmx addresses. i have access to the dns settings for the email domain as well, so i could set mx records and what not :)

appreciate the help, thx in advance

Alex

You cannot do this, as the service provider has ownership and control over their outbound mail flow, as should be expected. Your client needs to concentrate their efforts on getting their environment cleaned up and controlled so they are not getting infected.   UTM is a great tool for prevention.

When they are ready to move out of gmx into their own server, they may like Smartermail, which is free for one domain with 10 users, and reasonably priced for advanced features and larger organizations.

You cannot do it with the gmx.net mail addresses. gmx.net has an SPF record ending in -all which means they are specifically denying any other ip-address than the ones specified in the SPF record to send mail on behalf of gmx.net.

That means that when you start using Sophos UTM as the SMTP proxy (it can do that and send mail out to the big world all by itself without a smart host), a lot of sent mails will get listed as spam simply because of this spf setting on gmx.net.

The only thing you can do is start using their own domain and start using a mailserver somewhere (Office365 is not that expensive, but there are several others providers too that give mailboxes with just POP/IMAP access with custom domains. Of course having a mailserver internal is also an option, but might be more costly to maintain with just a few mailboxes.

As Doug commented and Arno confirmed about GMX, it's not practical to use the SMTP Proxy for outbound mail since GMX won't let you use their service as a smart host.

I already knew that about GMX, but I answered above as if it were a client's personal domain, so I'll go back and change that.  With an owned domain, the most practical with an external provider is to point the MX record at the UTM, use the SMTP Proxy, have it do anti-spam and AV and then send the mail to the owned domain.  Then, with Outlook, you can use IMAP instead of POP3 - much more desirable.

Cheers - Bob

We had a hosting service with poor spam filtering, so we used your approach and made our spam filter tbe MX to act as a front end to them.   But eventually tbe bad guys figured out how to bypass our filters and go directly to tne hozting service.   Tnen they implemented improved spam filtering ehich refused to accept our spam filtet as a forwarder, because it violated SPF.

Obviously, the better solution us to use a hosting service eith a good spam filter, or use a self-hosted configuration.

I use Bluehost.com for Alfson.org, Doug, and they don't block inbound email relayed from the UTM.  One client that uses an external service was able to get SPF turned off by the hosting company, so relaying through the UTM was successful after they moved to an externally-hosted server.  You're right that most services don't have an 'Allow upstream/relay hosts only' option like the UTM's SMTP Proxy.

Cheers - Bob

Thank you all for the comments. I will look into it, was sick a few days.

Thank you all for the comments. I will look into it, was sick a few days.