This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Does Sophos XG Support AUTH SMTP relay in MTA mode?

We were on a UTM and authenticated relay worked fine. 

Migrated to an XG and email flows, but neither myself, nor Sophos support seems to be able to get SMTP Authenticated relay to work. 

Environment:

Sophos XG in MTA mode. - Works fine in all respects, other than Authenticated SMTP relay. It does successfully relay from whitelisted internal IPs (MFP, etc)

Exchange 2016 on-prem server - Patched to CU22, including KB5007409  - All aspects working fine. 

Active Directory users imported successfully or local users. (I have both and either would be fine)

Spent time with a tier 1 support person (3.5 hours) working through it and was told that "SMTP relaying via AUTH was broken in fw 17, but supposed to be fixed in 18, but it's still broken."

Fantastic. Before I throw a wobbly, is this accurate?

Did Sophos break AUTH relay and leave it broken across multiple versions?

Does anyone have Authenticated (username and password) SMTP relaying working with an on-prem Exchange Server and the XG in MTA mode?

Thanks!



This thread was automatically locked due to age.
  • SFOS does not support SMTP Auth. It was never implemented and i am still arguing this to be a "problem" in the implementation to this day. 

    From my point of view, there should be a a central instance (email server) storing all emails and be send from there. Using a SMTP Auth vs a gateway product (SMTP MTA) could potentially open plenty of issues. 

    __________________________________________________________________________________________________________________

  • Reality seems to match what you're saying generally. It does seem to be implemented, at least at the GUI level, since there's a pretty little check box and a place to add allowed users for authentication, but no one can seem to figure out how to actually implement it. 

  • SMTP auth in the GUI is based on the IP Authentication, which is implemented in SFOS (So does the firewall know, who you are, then we allowing you as a IP). This does not mean, there is the SMTP Auth RFC Feature. 

    So if you authenticate the Client via Clientless Authentication, you can use this mechanism. This is likely more a implementation for internal Clients (Printers etc.). Not for external Clients (services etc.). 

    If you want to allow a external Service (or internal), use Host based Relay. Basically you do the same via SMTP Auth. You allow a service to use your MTA to send Emails. If this goes wrong, it will place you on blacklists etc. The same challenge is on SMTP auth. 

    __________________________________________________________________________________________________________________

  • Sweet Jesus. Why do companies keep rolling out this crap?  *rage*

  • What is the use case of SMTP auth? What do you plan to integrate and how do you mitigate SMTP threats? 

    __________________________________________________________________________________________________________________

  • In this case, it's Syncro. We use it as an RMM. It was emailing fine through the UTM, but after switching to XG, it fails. 

    With the Sophos in MTA mode, my understanding is that it handles the transactions, then relays back to my Exch. 

    That pretty much puts it in front of the Exch server. 

    We also lock down relaying in XG and Exchange. 

    This is the Syncro interface I'm using, which is very limited. 

    The current error is "AUTH command used when not advertised" when attempting Auth SMTP relay. 

    I don't want to switch to transparent mode, since that makes the firewall useless in terms of Email protection. 

  • Where is this solution based? Is it a cloud application or on-premise? Or to rephrase it: Do you have a IP/FQDN, which this vendor is using for sending a Email? 

    If so - You could relay it directly to the Exchange. The Exchange will accept the email and then forward it to the needed places. 

    __________________________________________________________________________________________________________________

  • They are a web-based SAAS provider. IP Relay is the sole solution I can see as well.

    Still waiting on Syncro to clarify their sending IP/IP range. 

    Its just dumb that this isn't supported. FFS, UTM managed it fine, but Sophos "upgraded" and broke something quite useful. 

    Combine that with the horrific on-hold 18-sec loop and Im starting to hate this company more every day.

  • On the other side. take a look at Central, Reporting, XDR and the capabilities for IT Security, it will increase your actual goal: Having a secure environment.

    BTW: IP Relay means essentially, your SAAS Provider talks to the Exchange and on the Exchange, you can configure a SMTP Gateway for this service.

    BTW2: Most customers move to O365, and as O365 simply supports this as a Mail gateway, this seems to be the better approach. So if you actually move to Exchange online in the future, you can disable this entire Email feature on SFOS/UTM anyway. 

    __________________________________________________________________________________________________________________

  • We use CYNET for endpoint sec. I used Sophos AV in the past and wasn't impressed, at all. CYNET is a stellar product, albeit more expensive. 

    I'm well aware of what IP relay is for SMTP. 

    We're not likely migrating to O365 anytime soon. On-Prem exch has worked fine until this Sophos XG garbage.