This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM: DKIM & DMARC what are you guys doing??

Hi,

Apparently the UTM cannot do DMARC, allthough there are feature requests for it.

But do to the CEO fraud, and PCI Compliance, more and more companies (customers) are getting a low score, due to this, and cannot understand, why this perfect NSG cannot do this.

I am having a hard time explaining, as I come to the part now, where I do not understand it either :-)

So for the time being, how do you guys solve theese requirements today?

Using 3.party antispam soulution/provider??

Appliance with ASSP? :-)

Would be great to hear / share some good ideas :-)



This thread was automatically locked due to age.
Parents
  • I would always front-end a mail server with either a hosted solution or an on premise security appliance.  It offloads that functionality and gives you a place to quarantine, inspect, or isolate traffic.

  • Hi darrellr,

    darrellr said:

    I would always front-end a mail server with either a hosted solution or an on premise security appliance.  It offloads that functionality and gives you a place to quarantine, inspect, or isolate traffic.

     

     

    Thanks for replying.

    Yes but as you cannot use the UTM for DMARC, what do you use for on-premise spam solution?

    -----

    Best regards
    Martin

    Sophos XGS 2100 @ Home | Sophos v20 Technician

  • Err why can't you use it for DMARC?

    We have SPF, DKIM & DMARC set up for our domains. The records are setup in DNS rather than the UTM with the exception of DKIM where you need to provide the private key.

    With regards to setups, we use:

    Exchange transport servers are the only servers to be able to send and receive mail via the UTM
    DNS Servers are the only server to use the dns proxy. Clients use the internal DNS servers.
    Exchange web and outlook is reverse proxied via the UTM

  • I do not use anything on-premise.  But when I said on-premise I meant an email security appliance rather than a UTM appliance, sorry that was unclear.  A separate kit.  I am not judging which is best, but it includes Cisco, Barracuda, Fortinet, etc..  There are lots out there.  As stated, I use a hosted solution.  Those might include Microsoft Exchange online with ATP, Google, Proofpoint, etc..

  • Louis-M said:

    Err why can't you use it for DMARC?

    We have SPF, DKIM & DMARC set up for our domains. The records are setup in DNS rather than the UTM with the exception of DKIM where you need to provide the private key.

     

    But user doesn't get the reporting feature of DMARC, that is a very wanted feature, how did you solve that?

     

    https://ideas.sophos.com/forums/17359-sg-utm/suggestions/2554345-enable-dmarc

    Can your UTM handle the rua= switch for telling about misuse of emails??

    https://en.wikipedia.org/wiki/DMARC

    -----

    Best regards
    Martin

    Sophos XGS 2100 @ Home | Sophos v20 Technician

  • The RUA is put in at DNS level. We get aggregate and abuse reports sent to our group admin email address. There is no setting up of DMARC on the UTM.

  • Louis-M said:

    The RUA is put in at DNS level. We get aggregate and abuse reports sent to our group admin email address. There is no setting up of DMARC on the UTM.

     

     

    Yes I know, but I cannot see the UTM is handling DMARC lookups at all, it cannot tell you in mail manager, that DMARC is the reason for reject. I know other filters on the web can make use of the DMARC record you have, but what about the UTM you have on-premise??

    -----

    Best regards
    Martin

    Sophos XGS 2100 @ Home | Sophos v20 Technician

  • This post has become hard to understand.   Nonetheless, I will attempt to comment, hopefully you will be able to use it to clarify your question.

    If your email service is externally hosted, I don't see that UTM has any role for email security, either inbound, outbound, or monitoring.   This is because email does not flow through UTM for these configurations.   (I exclude the POP3 proxy from consideration for this topic.)   

    Assuming that you email is hosted behind the UTM, these considerations apply:

    1) Applying DKIM signatures to make outbound mail more likely to be trusted by the recipient.

    DKIM signatures can be applied to outbound mail by any device in the outbound sequence.   UTM is one option, although it lacks the user interface features to help you generate the key pair.   I recommend doing the signature on your mail server if possible.   I am aware of a third-party option to add DKIM capability to Microsoft Exchange, and it is relatively inexpensive.   For a DKIM signature to be useful, the public key must be published in your Internet DNS.

    DKIM can sign by individual, by email sender domain, or by mail server domain.   I have not seen individual signature usage, because it requires maintaining a DNS entry for each individual in your organizatoin.  If your mail server domain and your email sender domain and your user-visible "FROM" domain all match, the signature is of more value than if they are different.  Multiple signatures are allowed, so you could potentially sign for each of the three entities.

    2) Publishing SPF information

    This is done exclusively in DNS.  In big organizations, SPF is often incorrect because the IT department is unaware of third-parties that are contracted to send mail using the organization's identity.   If you are going to use SPF, ensure that you know how it needs to be set to validate all of the legitimate mail sent using your email domain.

    Additionally, many SPF settings end with ?all, which makes the entire SPF entry meaningless.

    3) Publlishing DMARC policy

    This is also done in DNS.  The recommended setting is to indicate "all mail will comply with SPF or will have a DKIM signature".   The DKIM signature helps to ensure that forwarded mail will be trusted. 

    4) Interpreting DMARC, DKIM, and SPF information on incoming mail.

    UTM optionally checks SPF, but its policy is so strict that I have not found it useful.   If enabled, any SPF violation is blocked, which will include all forwarded mail and lots of mail from organizations that do not have their SPF policy configured correctly.  As far as I know, DMARC policies are not used at all.   I assume that the DKIM signature is a factor in the SPAM detection algorithm, but there is no way to know this for certain.

    5) Processing DMARC reports sent from other mail systems about your mail identity.

    I have not found software to do this, but have not looked very hard.   UTM is not a tool for this purpose, and probably should not be.   The right tool will be a database application running on a server with lots of storage space and processing power.

    Hope this helps.

Reply
  • This post has become hard to understand.   Nonetheless, I will attempt to comment, hopefully you will be able to use it to clarify your question.

    If your email service is externally hosted, I don't see that UTM has any role for email security, either inbound, outbound, or monitoring.   This is because email does not flow through UTM for these configurations.   (I exclude the POP3 proxy from consideration for this topic.)   

    Assuming that you email is hosted behind the UTM, these considerations apply:

    1) Applying DKIM signatures to make outbound mail more likely to be trusted by the recipient.

    DKIM signatures can be applied to outbound mail by any device in the outbound sequence.   UTM is one option, although it lacks the user interface features to help you generate the key pair.   I recommend doing the signature on your mail server if possible.   I am aware of a third-party option to add DKIM capability to Microsoft Exchange, and it is relatively inexpensive.   For a DKIM signature to be useful, the public key must be published in your Internet DNS.

    DKIM can sign by individual, by email sender domain, or by mail server domain.   I have not seen individual signature usage, because it requires maintaining a DNS entry for each individual in your organizatoin.  If your mail server domain and your email sender domain and your user-visible "FROM" domain all match, the signature is of more value than if they are different.  Multiple signatures are allowed, so you could potentially sign for each of the three entities.

    2) Publishing SPF information

    This is done exclusively in DNS.  In big organizations, SPF is often incorrect because the IT department is unaware of third-parties that are contracted to send mail using the organization's identity.   If you are going to use SPF, ensure that you know how it needs to be set to validate all of the legitimate mail sent using your email domain.

    Additionally, many SPF settings end with ?all, which makes the entire SPF entry meaningless.

    3) Publlishing DMARC policy

    This is also done in DNS.  The recommended setting is to indicate "all mail will comply with SPF or will have a DKIM signature".   The DKIM signature helps to ensure that forwarded mail will be trusted. 

    4) Interpreting DMARC, DKIM, and SPF information on incoming mail.

    UTM optionally checks SPF, but its policy is so strict that I have not found it useful.   If enabled, any SPF violation is blocked, which will include all forwarded mail and lots of mail from organizations that do not have their SPF policy configured correctly.  As far as I know, DMARC policies are not used at all.   I assume that the DKIM signature is a factor in the SPAM detection algorithm, but there is no way to know this for certain.

    5) Processing DMARC reports sent from other mail systems about your mail identity.

    I have not found software to do this, but have not looked very hard.   UTM is not a tool for this purpose, and probably should not be.   The right tool will be a database application running on a server with lots of storage space and processing power.

    Hope this helps.

Children