XGS - Mail Security

Question

Hey Sophos experts, We are about to switch our UTM SG against XGS soon. Currently our reseller is not really advertising the Mail Gateway in XGS and is proposing to get another mail solution. The reason: according to them, the XGS has an open mail relay that ignoes SPF checks for internal domains - they say that someone could access the XGS from external via SMTP, and then send mails from addresses with our domain to the users in our domain, and SPF would ignore this. Is this true? If so, why would there be no way to block this? According to our partner in other mail systems we can prevent this via policies, but XGS has no such feature. Thanks for your insight 
 
 Tobias

LuCar Toni · Answer

That is essentially not true - But it is the same behavior like UTM had. You have a host based relay principle, which defines an IP, this IP can do what ever it wants (even spoof emails). 
 SFOS, like UTM, will check the SPF Record coming from external. 
 But like UTM, SFOS does not have a FROM Check. So if somebody spoof the FROM and not the envelope-from, it will not get rejected. 
 Central Email has a protection module against this. 
 
 By the way: https://stackoverflow.com/questions/47572210/why-is-spf-not-validated-against-from-header 
 Tried it right now: Rejected: SPF check failed

XGS - Mail Security

Top Replies