Sophos Email customers using IP-based mailflow rule connectors must migrate to certificate-based configuration by March 31st. To see if you're affected Click Here.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 16 subscribers
  • Views 3989 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Central Email Reverse DNS Check

Andreas Kossmann1

Hi ,

ich have configured Sophos Central Email. I tested a little bit and i think it works really well.

But:

I could send me a mail from an Domain without spf and dkim or dmarc from an not authorized ip.

Is it right that Sophos does not check RDNS entries???

Thanks,

Andreas



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to Andreas Kossmann1

    Yes we do RDNS look ups for reputation but that doesn't mean SPF, DKIM, DMARC hence my question about Email Authentication

  • 0 in reply to Tom Foucha

    I hope i understand everything right.

    I will give you an example. 

    I have a domain with no SPF record , DKIM or DMARC. 

    I tried to spoof the domain. I took a Server with a public IP with no RDNS record. This server is not allowed to sent from this domain. Not in MX. I sent a mail from this server to my domain behind Sophos Central EMail.

    The email passed and was not blocked. I think when there is nothing to check from SPF or DKIM or DMARC Sophos cannot block it this way. But i think the mail should be blocked from things like MX records and RDNS if there is no SPF ? 

    I think the hardware appliances work a little bit different. I have only worked with Sophos XG appliances many years before now.

  • 0 in reply to Andreas Kossmann1

    What says the server is not allowed to send from that IP address? Generally SPF records indicate who/which IP are authorized to send on behalf of a domain and if they fail that check then Sophos Central can be configured to do something with those messages. SMTP is a very old and weak technology when it comes to spoofing email, which is why Email Authentication like DMARC, SPF, DKIM were developed and continue to be refined to handle those spoof attempts. Just because a server doesn't have an MX doesn't mean it can't send email, it won't receive email because other parties won't know where to deliver because the MX is just a pointer like a house address. Now if there is no SPF record for the domain then admins have to decide how to handle those messages, in the Help Documentation we put in flow charts that explain the process.

    https://doc.sophos.com/central/customer/help/en-us/ManageYourProducts/EmailSecurity/EmailSecurityPolicy/Authentication/SenderChecks/EmailSenderCheckSequence/index.html

Unfiltered HTML