Use SFOS as Mailrelay

Snadro 2 days ago

Hello Everyone

Short description about our current Setup. We have Sophos UTM using as Mail relay solution for all of our internal Applications and Printers. The UTM is connected to M365 which is our Mail server. the UTM is not a Gateway for our normal Mail traffic. It is just used, that our applications are able to send Mails over Port 25 using normal SMTP.

To be sure that not all Applications and Printers are able to send to external recipients, we have configured the UTM, that all are allowed to send internal (Mail will be sent to Exchange Online und then delivered to the Mailbox). Only specified Hosts are able to send Mails to external Domains like *@sophos.com. We now setup an SFOS 20.0.2 Virtual Appliance to test the possibility's to replace our old UTM. We were now able to configure the Relay, to send Mails from specified hosts but we are not able to configure the Firewall, that everyone is able to send Mails to internal Domains and just specified Hosts are able to send to external Recipients. The Only Thing we are able is to allow all (i mean all internal senders), but these then are able to send Mails external.

Has someone an idea, how we are able to configure the SFOS to work in the Same way as the old UTM was doing?

Edited TAGs
[edited by: Erick Jan at 12:28 PM (GMT -7) on 24 Sep 2024]

Parents

0 LuCar Toni 2 days ago

Essentially UTM did it like SFOS does it today. Only the SMTP Auth Component is not the same (SFOS does not support SMTP Auth).

How did you do it in UTM? Can you show us the configuration of UTM? Because essentially, if you did the host based relay approach, everybody can send an email with every Sender address in UTM.

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 LuCar Toni 2 days ago

Essentially UTM did it like SFOS does it today. Only the SMTP Auth Component is not the same (SFOS does not support SMTP Auth).

How did you do it in UTM? Can you show us the configuration of UTM? Because essentially, if you did the host based relay approach, everybody can send an email with every Sender address in UTM.

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

0 Snadro 1 day ago in reply to LuCar Toni
Hi Toni

Tanks for your reply. I will try to share the current configuration with you (I'm not proficient in UTM).

Email Protection -> SMTP ->

Global

Profile Mode

Listen Inferfaces = all

Routing

Rout by: MX record

Relaying

Host-based Relay = all Host entred which are allowed to send external Domains

Content Svcan for ... = True

Advanced

DKIM/DMARC configured for one Domain

Advanced Settings --> Standard exepct specified Postmaster Address

SMTP Profiles

Several Profiles which include our internal Domains (They should be routed to our M365 Tennant)

As i know, this should be the whole configuration, that is done for the Relaying. Hope this helps you to help me
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 LuCar Toni 1 day ago in reply to Snadro

"Host based Relay" did you enter here all the clients, you want to send emails from? Like Printers etc in UTM?

Because that basically means, they can send EVERY Domain in UTM.

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Snadro 1 day ago in reply to LuCar Toni

No we only entered the Clients that should be able to send to external domains. Clients that should send only to internal.com, internal.org, etc. are not entered anywere.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 LuCar Toni 1 day ago in reply to Snadro

Just to make sure: Are clients in the UTM entered in "Host based Relay" or not?
Because UTM will not filter those clients. They can use the UTM for every kind of Emails. The UTM will not filter those Emails.

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Snadro 1 day ago in reply to LuCar Toni

I Double checked it be be compleltly sure. My current Client (example 192.168.100.140) is not entered in the Allowed Hosts/Networks List but I'm able to send Mails to an internal Domain:

I'm also tried to send to my private Mail address and the Sophos directly rejected the Mail

So there has to be a mechanism, which checks if its an internals domain or not. But I can't find any possibility to configure such setting.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 LuCar Toni 1 day ago in reply to Snadro

I am not sure what you mean: Is your client now in Host based Relay or not?

Can you share us a screenshot of this?

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Snadro 14 hours ago in reply to LuCar Toni

My Client isn't in the List. Sharing a screenshot is because of data security a little bit difficult. Its a productive System with productive Systems including.

mymail@internal.com works but mymail@external.com diesn't work.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel