This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Does Sophos XG Support AUTH SMTP relay in MTA mode?

We were on a UTM and authenticated relay worked fine. 

Migrated to an XG and email flows, but neither myself, nor Sophos support seems to be able to get SMTP Authenticated relay to work. 

Environment:

Sophos XG in MTA mode. - Works fine in all respects, other than Authenticated SMTP relay. It does successfully relay from whitelisted internal IPs (MFP, etc)

Exchange 2016 on-prem server - Patched to CU22, including KB5007409  - All aspects working fine. 

Active Directory users imported successfully or local users. (I have both and either would be fine)

Spent time with a tier 1 support person (3.5 hours) working through it and was told that "SMTP relaying via AUTH was broken in fw 17, but supposed to be fixed in 18, but it's still broken."

Fantastic. Before I throw a wobbly, is this accurate?

Did Sophos break AUTH relay and leave it broken across multiple versions?

Does anyone have Authenticated (username and password) SMTP relaying working with an on-prem Exchange Server and the XG in MTA mode?

Thanks!



This thread was automatically locked due to age.
Parents
  • SFOS does not support SMTP Auth. It was never implemented and i am still arguing this to be a "problem" in the implementation to this day. 

    From my point of view, there should be a a central instance (email server) storing all emails and be send from there. Using a SMTP Auth vs a gateway product (SMTP MTA) could potentially open plenty of issues. 

    __________________________________________________________________________________________________________________

  • Reality seems to match what you're saying generally. It does seem to be implemented, at least at the GUI level, since there's a pretty little check box and a place to add allowed users for authentication, but no one can seem to figure out how to actually implement it. 

  • We use CYNET for endpoint sec. I used Sophos AV in the past and wasn't impressed, at all. CYNET is a stellar product, albeit more expensive. 

    I'm well aware of what IP relay is for SMTP. 

    We're not likely migrating to O365 anytime soon. On-Prem exch has worked fine until this Sophos XG garbage. 

  • Did you upgrade your Exchange already? Yesterday another Critical CVE for Exchange: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42321 

    __________________________________________________________________________________________________________________

  • Yeah. I stay up on patches. We were CU 22 when it was released and this sec patch was installed the day after release. 

    I'll just end this thread here. 

    Sophos UTM supported this function without issue. Sophos decided to pretend to support it in XG, but doesn't really support it and so far, the best solution from Sophos is to convert to O365, bypassing the Firewall MTA. lol

    I appreciate your time nonetheless. 

  • O365 does not bypass the Firewall MTA. It simply does not need it. In O365, you are working with the MTA of Microsoft. 

    BTW: Did you investigate about breaches? This CVE is already known to be used in the wild. There is a script from Microsoft to check for breaches. 

    __________________________________________________________________________________________________________________

  • O365 does not bypass the Firewall MTA, because it doesn't use it. Well, yeah. 

    You know what the word "bypass" means, right?

    I'm well aware of Exch vulns and we're patched. 

  • BTW: Office365 can be protected on another level of technology. 

    See: Integrations of Central Email into O365. The next generation of integrations is about APIs. Central integrates with O365 on a API level, not a MTA Level.
    Then you are able to utilize things like "Post delivery protection". Which basically means, if we detect a attack after SMTP, we can simply remove the Email from the mailbox of the client after delivery. A thing a UTM/SFOS never can do.

    Central Email is a next generation solution for Email anyway.

    __________________________________________________________________________________________________________________

  • Do you make a commission from O365?

    Sweet Jesus. You just don't stop with the O365 garbage. 

  • No i do not. But i see the advantages of Azure AD and O365. 

    Do you get commission to stay on Exchange on Premise? 

    __________________________________________________________________________________________________________________

  • I do not make commissions by staying on Exch, but at the same time, I'm not telling everyone to switch to on-prem, because the firewall they purchased has a half-assed SMTP relay implementation. 

    See the difference?

  • So you actively do not push a security solution, instead you using network solution? 

    __________________________________________________________________________________________________________________

Reply Children
No Data