This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is UTM mail proxy still relevant?

My question is based around the fact that most mail systems use either 465 or 587 for outgoing mail? The proxy only listens on port 25.

The pop proxy is no better it listens on 110 where as most systems use 143, 993.

So to those in the know are there any plans to upgrade the proxy so that it will work with other mail protocols?

Ian



This thread was automatically locked due to age.
Parents
  • Some UTM functions are to protect the desktop clients on your network from hostile servers on the internet, while others are intended to protect the servers on your network from hostile devices on the internet.

    It appears that you are thinking of the SMTP proxy as a device to protect the connection between Outlook on your PC from your mail server.   The POP3 proxy plays that role, you can think of it as a second line of defense in case your mail server is successfully attacked.   However, the SMTP proxy is intended to protect a mail server from incoming messages sent by a hostile server on the internet.

    You are right that your mail program uses ports 25, 465, or 587 to send messages to the mail server.   That traffic is trusted because you have to log in to send messages (or you need a special exemption based on your IP).   

    Mail servers also transmit to other servers using port 25 as the target.  The remote server does not authenticate and is not trusted, but it is allowed to send messages to the accounts on the mail server.    The UTM SMTP proxy intercepts that traffic to reduce the risk that a hostile message will be accepted.

    If your mail does not flow into your UTM before flowing into your mail server, then the SMTP proxy is not intended for your situation.   

    Hope this helps. 

  • Hi Douglas,

    yes and no. If you take the XG it can scan imap/s, pop/s, smtp/s as part of a business rule but not 587. The MTA well I haven't succeed in getting it to work yet. So my query is about bringing the UTM mail scanning up to XG standard. Yes, the UTM has features in mail handling that the XG does not.

    Not all business that use the uTM have an onsite mail server and in a lot of cases rely on their ISP to provide mail server functions. Now for security purposes most businesses will have moved away from ports 25 and 110. Also POP mail does not allow the user to maintain a copy on the server if something goes wrong at the user end whereas imap does.

    So, the way the UTM is provided at the moment is not good for small business or home use for mail security. Small business is why mac security is really needed....

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Multiple layers of defense are always a good idea.   

    Your primary mail defense needs to be a spam filter for mail coming inbound from the internet on port 25 to your mail server.   This intercepts mail that arrives on unauthenticated sessions.  This is the role that UTM Spam Filter is designed to play.

    If you mail server is hosted by a third party, it is the third party's responsibility to provide an effective spam filter.   (Office 365 is an exception, they provide instructions for providing your own spam filter.)   If your hosting service cannot provide good spam filtering, you should pursue an alternate hosting service.   Of course, this becomes painful if you are using the vendor's email domain instead of one that you own.

    Filtering traffic between the mail client and the mail server become a second line of defense.  There are an abundance of protocols between clients and servers, including at least:  IMAP+SMTP, POP+SMTP, MAPI (Outlook to Exchange), ActiveSync (Cell phone to Exchange), EWS (Outlook to Office 365), and Outook to Hotmail (name unknown).   Some of these have encrypted and unencrypted variants, as you indicated.  In this context, UTM can only filter traffic from the mail server to the client when the connection uses POP3, encrypted or unencrypted.   POP3 is an unattractive solution for multiple reasons, and is falling out of use.

     

     

  • Hey Ian!

    I'm fairly certain that the  UTM's SMTP Proxy also listens on 465 and 587 - what evidence did you see that it does not?

    Port 25 connections are just as secure as 587 since both use STARTTLS for encrypted communications.  Port 465 with immediate TLS negotiation was the only TLS solution before STARTTLS and I think it's primarily older MTAs that send using SMTPS.

    I'm less familiar with POP3.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    basically there is no evidence because the outgoing mail does not appear in the UTM mail logs.

    To test the theory further I will need to create a temporary drop filter on 465 and 587.

     

    Regards

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Utm will intercept port 587
    The use of 465 for SMTP over SSL is unofficial

  • Thank you, I am aware that 465 was an interim port, but seems to be in wide use for local traffic, but 587 is recommend for when you travel.

    The XG uses 465 not 587 as part of its mail security. Of to try some more settings.

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Just for you
    Turning off and on Email Protection
    Here the live log:

    2018:04:30-09:30:59 utm smtpd[2984]: MASTER[2984]: (Re-)loading configuration from Confd
    2018:04:30-09:31:00 utm smtpd[2984]: MASTER[2984]: Before 23:30:00, QR status one set to 'pending'
    2018:04:30-09:31:00 utm smtpd[2984]: MASTER[2984]: Before 23:45:00, QR status two set to 'pending'
    2018:04:30-09:31:00 utm exim-in[3001]: 2018-04-30 09:31:00 pid 3001: SIGHUP received: re-exec daemon
    2018:04:30-09:31:02 utm exim-in[3001]: 2018-04-30 09:31:02 exim 4.82_1-5b7a7c0-XX daemon started: pid=3001, no queue runs, listening for SMTP on port 25 (IPv4) port 587 (IPv4) and for SMTPS on port 465 (IPv4)
  • Hi,

    I am running the email proxy in transparent mode and it does not pickup 465 or 587. When using those ports the connections fail.

    Ian

    Edited: I do see those entries in the smtp log, but I do not see any sent messages. The entries to me look very much like the proxy is listening the external interface with those ports, but not the internal one. I had to disable TLS on 587 before I could send any email with that configuration.

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

Reply
  • Hi,

    I am running the email proxy in transparent mode and it does not pickup 465 or 587. When using those ports the connections fail.

    Ian

    Edited: I do see those entries in the smtp log, but I do not see any sent messages. The entries to me look very much like the proxy is listening the external interface with those ports, but not the internal one. I had to disable TLS on 587 before I could send any email with that configuration.

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

Children
  • Something is wrong with your config than.
    Transparent too and responds to 587

  • Hi,

    I will conduct some different tests tomorrow when my wife is not using the network.

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Ian, I will PM you MediaSoft's UTM address so that you can try telnet on those ports. Bold are items to enter:

    secure:/home # telnet mail.domain.com 587
    Trying 54.x.y.73...
    Connected to mail.domain.com.
    Escape character is '^]'.
    220 mail.domain.com ESMTP ready.
    EHLO otherdomain.com
    250-mail.domain.com Hello secure.otherdomain.com [173.x.y.77]
    250-SIZE 52428800
    250-8BITMIME
    250-PIPELINING
    250-STARTTLS
    250 HELP
    QUIT

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Since UTM documentation is woefully lacking on this topic, can we supply our own?

    This is what I am guessing happens.   Can anyone verify or refute these assumptions?

    Standard Mode SMTP

    • Destination IP Address = any UTM address, Destination Port = 25, without authentication:   Receive and evaluate inbound mail for configured mail domains

    • Destination IP Address = any UTM address, Destination Port = 25, 465, or 587, with authentication to UTM:  Send outbound email for the logged-in user, bypassing his normal mail server.  Probably requires a UTM user object with an associated EMail address.  Not something I would want my users doing.

    • Destination IP Address NOT a UTM address, Destination Port = 25, 465, or 587.   Allowed or blocked based on UTM Firewall rules.  No SMTP evaluation performed.

    Transparent mode SMTP

    • Destination IP Addreess = any UTM address, Destination Port = 25, with or without authentication:   Packet ignored because port is closed.

    • Destination IP Address NOT a UTM address, Destination Port = 25, with authentication:  Transparently intercept outbound message traffic from mail client to mail server.   UTM relays the credentials after intercepting them, so UTM performs no authentication itself.   For encrypted SMTP traffic, UTM must be configured with a certificate that allows it to masquerade as the mail server.    Only works if the traffic from client to server flows through UTM.  Assuming that UTM is a the network perimeter, this could be used for internal client to a remote mail server or remote client to an internal mail server.

    • Destination IP Address NOT a UTM address, Destination Port = 25 without authentication:   Transparently evaluate inbound mail for configured mail domains.   If used for an unconfigured mail domain, results may be unpredictable.

     

    Based on the user interface, it appears that one can never enable Standard Mode and Transparent Mode at the same time.

  • DouglasFoster said:
    Based on the user interface, it appears that one can never enable Standard Mode and Transparent Mode at the same time



    The Last sentence its not true. Transparent Mode is the main reason which converts UTM to Mail Proxy, not a regular firewall. Skipping Source or Destinations from Mail Proxy (transparent mode), It will pass traffic to Firewall Rules or Standard Mode.

    It is like Web Proxy (Astaro old Names) You can configure the browser or not, you can make firewall rules fort port 80 or not at all

  • Restating what you said, it is like Web Proxy because:

    • Transparent Mode will always silently enable Standard Mode.
      You can have Standard mode without Transparent mode, but you cannot have Transparent Mode without enabling Standard Mode as well.
    • Therefore, Firewall Rules apply:
      • When SMTP Proxy is disabled.
      • When Transparent SMTP Proxy is not enabled and the destination address is not UTM
      • When Transparent SMTP Proxy is enabled but the destination address is in the Transparent Host skip list.

    If the rest of my analysis is correct, the User Authentication behavior is very different between Standard Mode and Transparent Mode, even if they are enabled with the same checkbox.

    I wonder why this was never important to document.

  • In my opinion, Transparent mode should be used only for testing and debugging.  Otherwise it opens you up to having an infected PC get you on every blacklist in the world.  I don't believe the SMTP Proxy ever sends over anything but 25 unless a smart host is used and then the port can be any.

    I examined our UTM's Bandwidth Usage for the last year and found no connections using 587 except my experiments with telnet.  I found four spammers with a total of seven attempts trying to relay port 465 sends off the Proxy, but those attempts were rejected with Relay not permitted.

    The conclusion is that modern MTAs all try port 25 first and that they never find an MTA that won't accept that.  Also, they only listen on 465 to maintain compatibility with any ancient MTAs - but there aren't any anymore because all were replaced with systems that can do STARTTLS on port 25.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Interesting.   As my comments implied, I thought 465 and 587 were only used for authenticated SMTP. 

    And I thought the original question was about using UTM to filter traffic between a mail client and a mail server, where authentication would be necessary.

  • User authentication should be to the mail server.  The Proxy should only allow relay from the mail server.  The mail server should only relay off the Proxy and not send "around" the Proxy. TLS should be required with all domains (*.*).  I had to make a TLS exception for cantv.net several years ago - that's probably not necessary anymore.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • BAlfson said:
    The Proxy should only allow relay from the mail server.



    How can Transparent mode can compromise this statement Bob, about any infected PC can send you in blacklist?
    I have to UTM hom/work in administration. Both in Transparent mode. I can play with firewall rules all day, but i have transprent checked and i never go in spamlist for about 5 years. 
    We discussed about this long time ago. And i remember we agree that the precedence was like this: Country Blocking> SMTP Transparent > DNAT/Firewall Rules