This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM 9 sends mails about blocked mail to the recipiant

Greetings,

Is there any option in UTM 9 to notify the recipient about blocked mails? and send a link for release.
this feature is basic in many firewalls but seems it doesn't exist in Sophos.

 

Thanks for the Support



This thread was automatically locked due to age.
Parents
  • UTM does behave like other spam filters in this respect, but you misunderstand what is normal:

    • Blocked messages are not retained.  In some cases a message is blocked early in the communication process, so UTM cannot retain what it has not received.
    • To make messages available for your users to evaluate and release, you need to cause the message to be quarantined rather than blocked.

    However, I have a serious objection to most quarantine systems that I have examined, including UTM:   The user is not given enough information to make an intelligent decision about whether the message should be trusted and released or not.   He will have trouble even understanding why the message was quarantined.   Asking an untrained user to make an important decision on bad information is unfair to the user and unsafe for the organization.   

    If you are going to implement quarantine, I recommend that all users be first trained how to read the internal email headers, so that they can:

    • Understand how to read and interpret the routing path to identify the country of origin.
    • Understand how to interpret SPF and DKIM status.
    • Understand how to identify forwarded messages.
    • Understand the difference between the To/From information in the message and the To/From information in the SMTP Envelope which is used to route the message.
    • Understand different ways that attachments can be used as attack vectors, and how to see whether a quarantined message has attachments.

    There are probably other topics that should be included, but this is close to a complete list.   These topics are beyond the interest or skill of most non-IT people, and not even widely understand among IT professionals.   As a result, I am very negative on quarantine.  We use it very little, and I would like to use it less than we do.

  • Thank you DouglasFoster for your extended answer.

    We are using 17 Sophos UTM's VM's one of the worst firewall and support we ever bump into.

    Hope we shift asap to better products in the market.

     

    thanks again.

     

     

     

Reply Children
  • I hear your frustration with the learning curve, but I have to strongly differ with your conclusion. 

    UTM has a non-traditional architecture, which you need to learn.  I have not been happy with the documentation, which is a significant failing when compared to a vendor like Cisco which writes prolifically.   However, a few others and I have posted lots of information to fill in what we think the documentation lacks.   Start reading in the WiKi, and proceed to each sub-forum to read the topics that are pinned to the top.  All of the information that you will need is available.

    I bought UTM primarily because I needed a web filter, which has proven to be excellent.   

    While shopping for that, I learned what a Web Application Firewall was, and why I needed one.  UTM provided one at no extra cost.  I suspect that there are better WAFs out there, but I have no other experience and this one is better than the nothing that I had before.   

    For email filtering, I continue using the one that I had before UTM came along, but I bolted the UTM email filter on the back and it catches some things that the other product does not.

    We use UTMs country blocking feature in bi-directional mode, to keep large parts of the internet out of our hair.

    We use UTM's one-time-password feature to facilitate PCI DSS compliance for remote access.

    The biggest disappointment is that Sophos is moving to XG Firewall, because XG has a traditional firewall architecture, just like the one that you crave.   As a result of this strategy change, UTM has suffered from significantly reduced development effort.  Notwithstanding that fact, we recently renewed our support contract for three more years and upgraded to dual appliances for high availability. 

    We did so for one reason:  Coupled with our other spam filter and firewall, UTM has kept us free of malware while much larger and more sophisticated organizations have fallen to WannaCry and other ransomware.

    It may be worth mentioning some cost issues:

    • My second-choice alternative to UTM cost about twice as much.  Since then, the product has since been through an ownership change and has floundered.

    • I would like to switch to a different spam filter product, but the best email products cost more per year, for one feature, than UTM does for all of its features.

    • We are in the minority because we use UTM behind the traditional firewall which was already in place before UTM was purchased.  I think using a firewall in front of UTM simplifies several configuration issues associated with its unique architecture.    You could buy 17 firewalls for relatively little cost.

    Make sure that you understand what you already have, even if the learning curve is inconvenient.    Then if you go shopping, you know how to define what "something better" really entails.