Quarantine Digest: Admin Console Port

Hi Stuart James 

Would it be possible to further clarify this by sharing a picture of your quarantine digest settings? (through PM if you prefer).

Users clicking on the link in the quarantine email should be directed to their "MyAccount" via the User Portal (via the user port).

Regards,

I think you've misunderstood the problem.

The "My Account" link is correct, it links to the user portal.

The "Release" link which is to the right of the quarantined email, however, links to the admin portal.

Would it be possible to please raise a case for this and PM me with your case ID so I can follow up accordingly?

Thanks,

Case #8579213

Hi Stuart,

You are not exposing the webmin to the Internet as that is only accessible and listening on (default) port 4444. What you are seeing there is the file that contains the logic for the release email is just stored in the webconsole directory.

It's not ideal but it's by far from the end of the world as Sophos has hardened the gui for webmin and user portal.

Emile

Hi Emile

Unfortunately that is not the case. Behind the small black bar that I have in the screenshot below is 111.111.111.111:4444 (I blacked this out for security reasons in my post)

If I enable HTTPS on WAN in Device Access, releasing quarantine email works fine.

If I disable HTTPS on WAN in Device Access, releasing quaratine email fails and says page cannot be displayed.

Hi Stuart,

The release option would require web console access. Instead of allowing from WAN by enabling the check on HTTPS, you may find the ACL rule useful as you may define the access for HTTPS connection from specific public address. This will override the device access option and allow the defined public address or private address to access web console.

My goodness. A lot of "engineers" here that don't live in the real world. Clients need to be able to release mail from quarantine from anywhere in the world. They could be at a hotel, in an airport lounge, overseas, on their mobile phone - anywhere. It is not practical to specify that users can only release an email from specific IP address locations.

The release option should NOT require web console access, it should use the user console port. I should not have to have the web admin console to a firewall publicly accessible. I am astounded that people are actually defending this as acceptable. If insisting that a web admin console is open to the entire world is Sophos' approach to security, then I need to stop selling Sophos and find another vendor.

Hello Stuart,

You are absolutely right that some organisations allow the release of mail from the quarantine regardless of their location.

I also agree that Aditya's suggestion is not satisfactory as it requires a massive helpdesk overhead and constant attention whenever a user is moving around the planet.

I do also agree that the release option should not require web console access and had not noticed before it is reliant on the web console to be open for it to function. This is something I will try and query to engineers I can contact.

For now, I would recommend that a VPN be used so that quarantine release can only occur when you are connected to the organisations network. I can imagine this isn't fully satisfactory however the vast majority of organisations do have a form  of VPN for secure access back to Head Office for a multitude of reasons, quarantine release will just be another.

I can imagine this may already be being looked at for the v18 release this year but if I find out, I will try and feed back here.

No one has defended it here and jumping to conclusions will not help ourselves in the forum or Sophos assist with the matter further.

Emile

Has there been any further updates on this,

I cant believe that sophos have so stupidly allowed this to happen.

FIX IT SOPHOS.

we all have to create a massive security risk on our networks because of you bad design or we risk upsetting users and increasing help desk calls for - can you release this email please.