Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 42 subscribers
  • Views 2489 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XGS - Mail Security

_Tobias_

Hey Sophos experts,

We are about to switch our UTM SG against XGS soon. Currently our reseller is not really advertising the Mail Gateway in XGS and is proposing to get another mail solution. The reason: according to them, the XGS has an open mail relay that ignoes SPF checks for internal domains - they say that someone could access the XGS from external via SMTP, and then send mails from addresses with our domain to the users in our domain, and SPF would ignore this.

Is this true? If so, why would there be no way to block this? According to our partner in other mail systems we can prevent this via policies, but XGS has no such feature.

Thanks for your insight

Tobias



This thread was automatically locked due to age.
  • 0

    That is essentially not true - But it is the same behavior like UTM had. You have a host based relay principle, which defines an IP, this IP can do what ever it wants (even spoof emails). 

    SFOS, like UTM, will check the SPF Record coming from external. 

    But like UTM, SFOS does not have a FROM Check. So if somebody spoof the FROM and not the envelope-from, it will not get rejected.

    Central Email has a protection module against this. 

    By the way: https://stackoverflow.com/questions/47572210/why-is-spf-not-validated-against-from-header 

    Tried it right now: Rejected: SPF check failed 

    __________________________________________________________________________________________________________________

  • 0

    "ignoes SPF checks for internal domains" -> completely wrong

    And who cares about the from field? It's the same trash-field like the display name, anybody can change it like he want.
    The important part is the envelope-from and on UTM, XGS (...) the SPF is working and protecting fine.

    By the way, because SFP is "default" and working nearly perfect, the most SPAMER / SCAMER even don't try it anymore:


  • 0 in reply to Quallensaft

    By the way, Central Email can protect against Impersonation of the from of Emails.

    So to speak: The old "Printer@domain" Spoofing attacks with attachments like PDFs are protected in CEMA. 

    __________________________________________________________________________________________________________________

  • 0

    Hello _Tobias_,

    I think regular expressions are an important tool for spam blocking. Unfortunately, support for regular expressions is not implemented in XGS yet. And Sophos successfully hides when it will be implemented.

    I hope I described the situation correctly?

    Regards

    alda

    P.S. Or am i wrong and there will be a big surprise in v20?

  • 0 in reply to alda

    Central Email support Regex, Expression filter and other features like header analyse and filter. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    * there are still users that never will use central and awaiting a full featured product on premise ;-)

  • 0 in reply to Quallensaft

    Hello Quallensaft,

    I totally agree. It is surprising that Sophos does not realize that it is losing many customers with this product policy. But it's a Sophos choice.

    Regards

    alda

Unfiltered HTML