Sophos Email customers using IP-based mailflow rule connectors must migrate to certificate-based configuration by March 31st. To see if you're affected Click Here.

Discussions Sophos Central Email Reverse DNS Check

Sophos Email requires membership for participation - click to join

Thread Info

State Suggested Answer
Locked Locked
Replies 6 replies
Answers 1 answer
Subscribers 16 subscribers
Views 3991 views
Users 0 members are here

Options

Suggested

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Central Email Reverse DNS Check

Andreas Kossmann1 11 months ago

Hi ,

ich have configured Sophos Central Email. I tested a little bit and i think it works really well.

But:

I could send me a mail from an Domain without spf and dkim or dmarc from an not authorized ip.

Is it right that Sophos does not check RDNS entries???

Thanks,

Andreas

This thread was automatically locked due to age.

Top Replies

Tom Foucha 11 months ago in reply to Andreas Kossmann1 +1 suggested

What says the server is not allowed to send from that IP address? Generally SPF records indicate who/which IP are authorized to send on behalf of a domain and if they fail that check then Sophos Central…

Parents

0 Tom Foucha 11 months ago

What is your receiving policy for DMARC, SPF, DKIM failures?
Cancel
Vote Up 0 Vote Down

Cancel
0 Andreas Kossmann1 11 months ago in reply to Tom Foucha

On the Sophos hardware appliances and the Email protection, things like RDNS etc. are checked
Cancel
Vote Up 0 Vote Down

Cancel
0 Tom Foucha 11 months ago in reply to Andreas Kossmann1

Yes we do RDNS look ups for reputation but that doesn't mean SPF, DKIM, DMARC hence my question about Email Authentication
Cancel
Vote Up 0 Vote Down

Cancel
0 Andreas Kossmann1 11 months ago in reply to Tom Foucha

I hope i understand everything right.

I will give you an example.

I have a domain with no SPF record , DKIM or DMARC.

I tried to spoof the domain. I took a Server with a public IP with no RDNS record. This server is not allowed to sent from this domain. Not in MX. I sent a mail from this server to my domain behind Sophos Central EMail.

The email passed and was not blocked. I think when there is nothing to check from SPF or DKIM or DMARC Sophos cannot block it this way. But i think the mail should be blocked from things like MX records and RDNS if there is no SPF ?

I think the hardware appliances work a little bit different. I have only worked with Sophos XG appliances many years before now.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Andreas Kossmann1 11 months ago in reply to Tom Foucha

I hope i understand everything right.

I will give you an example.

I have a domain with no SPF record , DKIM or DMARC.

I tried to spoof the domain. I took a Server with a public IP with no RDNS record. This server is not allowed to sent from this domain. Not in MX. I sent a mail from this server to my domain behind Sophos Central EMail.

The email passed and was not blocked. I think when there is nothing to check from SPF or DKIM or DMARC Sophos cannot block it this way. But i think the mail should be blocked from things like MX records and RDNS if there is no SPF ?

I think the hardware appliances work a little bit different. I have only worked with Sophos XG appliances many years before now.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Tom Foucha 11 months ago in reply to Andreas Kossmann1

What says the server is not allowed to send from that IP address? Generally SPF records indicate who/which IP are authorized to send on behalf of a domain and if they fail that check then Sophos Central can be configured to do something with those messages. SMTP is a very old and weak technology when it comes to spoofing email, which is why Email Authentication like DMARC, SPF, DKIM were developed and continue to be refined to handle those spoof attempts. Just because a server doesn't have an MX doesn't mean it can't send email, it won't receive email because other parties won't know where to deliver because the MX is just a pointer like a house address. Now if there is no SPF record for the domain then admins have to decide how to handle those messages, in the Help Documentation we put in flow charts that explain the process.

https://doc.sophos.com/central/customer/help/en-us/ManageYourProducts/EmailSecurity/EmailSecurityPolicy/Authentication/SenderChecks/EmailSenderCheckSequence/index.html
Cancel
Vote Up +1 Vote Down

Cancel