This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SMTP Authentication (Sophos as smtp relay to internal Exchange server)

Hi,

 

we have Sophos as SMTP relay to our internal Exchange server. SMTP authentication is not yet enabled on the Exchange.

So the Sophos will relay the emails to the Exchange.

Right now is possible to send emails using SMTP port (25) from one or our domain's user accounts to any another of our domain's user accounts without authentication. Which is, of course to me, a very big security vulnerability. (I tested it with telnet from outside of our networks... like if I were an attacker).

 

So the questions are:

 

1) Right now (when SMTP authentication is not enabled in the Exchange server),  is there a way to stop that behavior?

 

2) Once we enable SMTP authentication in the Exchange server, the sophos will still be whitelisted as the Exchange server needs to "rely" on the Sophos. How can we stop that behavior then?

 

 



This thread was automatically locked due to age.
  • Hi Mod,

     

    thanks for you reply.

     

    I already read it, but SPF doesn't do it because it will tell from which servers/ips/etc an email from certain domain should be received. But if I'm using that same host... I can do it.

    Also we already have SPF configured for some domains... and I'm still able to use SMTP as a client to send emails.

  • Hi Louis-M,

     

    Louis-M said:
    But it's no big shock to be able to telnet to a mail server and send an email to a valid recipient.

     

     

    so it is considered "normal" to being able to do that? because for me that's a big security issue that might lead to phishing or so... being able to send emails on behalf of another person? attacked could do that and tell "please reply to this other email account" or maybe attach malware/virus/etc?

     

    Also, in my case, I'm not only able to use valid recipients/sender, but also invalid/non-existent recipients and/or senders.

  • The Bee said:

    I already read it, but SPF doesn't do it because it will tell from which servers/ips/etc an email from certain domain should be received. But if I'm using that same host... I can do it.

    Also we already have SPF configured for some domains... and I'm still able to use SMTP as a client to send emails.

    Sorry I don't understand your problem. Do you want to control the sender addresses outside your own trusted mail domains?

    The Bee said:

    Right now is possible to send emails using SMTP port (25) from one or our domain's user accounts to any another of our domain's user accounts without authentication. Which is, of course to me, a very big security vulnerability. (I tested it with telnet from outside of our networks... like if I were an attacker).

    This is solved with a correct configured SPF record!

    Do you have "Perform SPF check" under "Advanced anti-spam features" enabled?

  • Hi @all,

    please remember, OP is an Exchange admin!

     

    Louis-M said:

    But it's no big shock to be able to telnet to a mail server and send an email to a valid recipient.

     

    If my only emailaddress is test@example.com and example.com is hosted on my exchange, and I'm in the Internal network of my utm,  mail from: test@example.com  -> rcpt-to:  community@sophos.com will work.

    But if I choose to use mail from: mod42@example.com -> rcpt-to:  community@sophos.com , that will wirk too and that could be for Exchange Admins a big shock, because they expect that I can only send emails from my only emailaddress test@example.com but not form mod42@example.com.

    I think/guess thats the issue what the OP mean with SMTP Authentication.

     

    Otherwise it's like Louis-M and BAlfson said:

    If you want to try to prevent that someone from the internet uses your emiladomain example.com as a senderaddress, please use SPF / DIKM.

    If you need guideance for configuring SMTP Proxy , please use the link from BAlfson's post.

     

    Greetings

     

  • There is still a bit of a mix up going on here. Let's forget about the UTM for a minute and deal purely with exchange. From the internet, people can telnet to the exchange server, add a valid recipient, data and a message from.

    Exchange will accept that because if it didn't, how would you receive email for that recipient. We are mixing up receiving email and being able to send email from the exchange server here. Now depending on the way the exchange server is setup, it may try TLS first, a reverse lookup etc but in general, it will accept mail for a valid user. If the user doesn't exist, it will not accept the mail returning "invalid recipient". This will be the receive connector working here.

    On the inside of the exchange server network, if the user can send mail from a client without authentication, there's a good change the exchange has a send connector based on IP authentication and the inside subnet is included. That's worth checking out as only certain hosts required should be allowed that.

    Now, if you have a user outside who can connect to the exchange server, send email to a recipient outside of the organization without authentication, you have a problem. That is what is known as an open relay and it won't take long for others to find it. You may even find yourself quickly blacklisted if that is the case.

    This post is getting mixed up between receive and send connectors, authentication and relaying regardless of SPF, DKIM & DMARC etc.

  • Hi Louis-M,

     

    in fact the situation is different. My issue is that I'm able to send emails from internet as a sender of my domain (without authentication) to any recipient email address (valid or not) to any of my domains.

     

    Let's say that my domains are example.com, anotherexample.com athirdexample.com that resolves to the UTM's Public IP address (UTM acting as SMTP relay to our internal Exchange server):

     

    an "attacker" (me, in this case), can telnet to the SMTP server of example.com:25 and send emails as sender: me@example.com,  to any email address on example.com and/or anotherexample.com and/or athirdexample.com,

     

    And I can do that using a valid/existing and/or invalid/non-existing SENDER and/or RECEIVER for any of those domains.

     

    (That's why SPF won't do it here, because SPF well tell other servers who is authoritative to send emails on behalf of "example.com", but being that, in fact, "example.com" is the one used to send emails from... SPF, AFAIU,  is not relevant in this case.

    That's also why external SMTP servers are not involved in this issue, because they will try to reach my SMTP servers with emails with a sender other than any of my domains. )

     

    I guess I haven't explained this properly before, maybe is a bit more clear now?

     

    thanks!

  • I feel your pain. What you are referring to is spoofed sender address, and there's really not much you can do about it with UTM. SPF helps, as message from a sender using you domain originating from and IP that is not explicitly allowed to send messages on behalf of your domain should get quarantined. Of course, this depends on how you configure your protection for it to work. DKIM also helps, as a spoofed message would not be signed and therefore the spam score would rise. You could try to blacklist *@ example.com, *@anotherexample.com and *@athirdexample.com (domains as per you example) but this would be only half useful, since as already proven by BAlfson an attacker could still spoof sender addresses since blacklisting would only match MAIL FROM information and not anything past DATA. DMARC could also be a solution but is also not implemented on Sophos UTM.

    IMHO, your best bet right now is SPF and DKIM.

    EDIT: Reading a little more, and it appears even SPF won't cut it as well, as it will also only be checked before DATA. We do need Sophos UTM to add the functionality to scan messages even after DATA in order to stop spoofed messages. You could vote for BAlfson's idea and hope for the best, but I don't see any major changes being integrated into UTM as of now, with SFOS receiving the most attention and all.

    Regards,

    Giovani

  • Ok, anybody should be able to send mail (either from a client or telnet) to your internal authorised receive domains.

    What shouldn't happen is they can send to a non existent user. If that is happening, you must have a "catch all" configured otherwise the mail server would bounce the mail for an invalid recipient. Likewise, they shouldn't be able to send to a non existent receive domain on your server either.

    But as I've stated, if you have user1@example.com, I would expect you mail server to accept a mail TO user1@example.com FROM joe@bloggs.com via telnet.

  • Louis, as far as I understand, Bee's worry is that anyone can connect to the UTM and post a message to user1@example.com (an internal user) using user1@example.com as the FROM address. If this message passes basic antispam checks it will reach users mailboxes as a message sent from himself, or worse, as a message sent from the CFO, for example, which is actually a sender spoofing. Sophos UTM only checks the recipient for its existence and has no mechanism to prevent outside clients to spoof the sender address, not entirely. This is actually something that happens a lot, unfortunately. Other antispam products, including Sophos Email Appliance, are able to check the message in P2 (after DATA) so you can block external messages that comes with senders from protected domains. Unfortunately UTM is only able to check this information against P1 (before DATA), so a message can be accepted with a bogus MAIL FROM, pass initial protection and blocking, and have its FROM modified later on in P2, thus deceiving the recipient. This is quite inconvenient and it's largely used for phishing attacks. Am I in the right track here, Bee?

    Regards,

    Giovani

  • Hi Giovani,

     

    you are right.

     

    That's why SPF won't do it here, because the attacker will be using the authoritative SMTP server for the domain example.com, which is my UTM, to send emails using telnet:

    telnet example.com 25

    From: existing_user@example.com 

    To: bigboss@example.com

    or 

    To: bigboss@anotherexample.com

     

    and that applies to any existing and non-existing accounts. As well as inter-domains' accounts. 

     

    Please remember that: an attacker can currently send emails using my SMTP server on port 25, with a FROM email address of any account on my domains and with a TO email address of any account on my domains. And that applies to non-existing email addresses.

    This has nothing to do with any domain to which my UTM is non-authoritative for.

     

    That's why I was hoping to have any kind of SMTP Authentication for sending emails FROM any account of any of my domains. In that way if an attacker wants to send emails using my UTM:25, FROM an account on any of my domains TO another account on any of my domains, a user/pass (or whatever other form of authentication/authorization) should be required.

     

     Regards.