Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Use SFOS as Mailrelay

Hello Everyone

Short description about our current Setup. We have Sophos UTM using as Mail relay solution for all of our internal Applications and Printers. The UTM is connected to M365 which is our Mail server. the UTM is not a Gateway for our normal Mail traffic. It is just used, that our applications are able to send Mails over Port 25 using normal SMTP.

To be sure that not all Applications and Printers are able to send to external recipients, we have configured the UTM, that all are allowed to send internal (Mail will be sent to Exchange Online und then delivered to the Mailbox). Only specified Hosts are able to send Mails to external Domains like *@sophos.com. We now setup an SFOS 20.0.2 Virtual Appliance to test the possibility's to replace our old UTM. We were now able to configure the Relay, to send Mails from specified hosts but we are not able to configure the Firewall, that everyone is able to send Mails to internal Domains and just specified Hosts are able to send to external Recipients. The Only Thing we are able is to allow all (i mean all internal senders), but these then are able to send Mails external. 

Has someone an idea, how we are able to configure the SFOS to work in the Same way as the old UTM was doing?



Edited TAGs
[edited by: Erick Jan at 12:28 PM (GMT -7) on 24 Sep 2024]
Parents
  • Essentially UTM did it like SFOS does it today. Only the SMTP Auth Component is not the same (SFOS does not support SMTP Auth). 

    How did you do it in UTM? Can you show us the configuration of UTM? Because essentially, if you did the host based relay approach, everybody can send an email with every Sender address in UTM. 

    __________________________________________________________________________________________________________________

  • Hi Toni

    Tanks for your reply. I will try to share the current configuration with you (I'm not proficient in UTM).

    Email Protection -> SMTP ->

    Global

    • Profile Mode
    • Listen Inferfaces = all

    Routing

    • Rout by: MX record

    Relaying

    • Host-based Relay = all Host entred which are allowed to send external Domains
    • Content Svcan for ... = True

    Advanced

    • DKIM/DMARC configured for one Domain
    • Advanced Settings --> Standard exepct specified Postmaster Address

    SMTP Profiles

    • Several Profiles which include our internal Domains (They should be routed to our M365 Tennant)

    As i know, this should be the whole configuration, that is done for the Relaying. Hope this helps you to help me Stuck out tongue

  • "Host based Relay" did you enter here all the clients, you want to send emails from? Like Printers etc in UTM? 

    Because that basically means, they can send EVERY Domain in UTM. 

    __________________________________________________________________________________________________________________

  • No we only entered the Clients that should be able to send to external domains. Clients that should send only to internal.com, internal.org, etc. are not entered anywere.

  • Just to make sure: Are clients in the UTM entered in "Host based Relay" or not? 
    Because UTM will not filter those clients. They can use the UTM for every kind of Emails. The UTM will not filter those Emails. 

    __________________________________________________________________________________________________________________

  • I Double checked it be be compleltly sure. My current Client (example 192.168.100.140) is not entered in the Allowed Hosts/Networks List but I'm able to send Mails to an internal Domain:

    I'm also tried to send to my private Mail address and the Sophos directly rejected the Mail

    So there has to be a mechanism, which checks if its an internals domain or not. But I can't find any possibility to configure such setting.

Reply
  • I Double checked it be be compleltly sure. My current Client (example 192.168.100.140) is not entered in the Allowed Hosts/Networks List but I'm able to send Mails to an internal Domain:

    I'm also tried to send to my private Mail address and the Sophos directly rejected the Mail

    So there has to be a mechanism, which checks if its an internals domain or not. But I can't find any possibility to configure such setting.

Children