This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

smtp auth; who ,how, why and when?

Hello,

Using exchange 2010

2x Rx connectors

  • internal network
  • gateway, anonymous permissions only.

All users use Outlook, some users work from home, most users have email on their phones. Occasionally I use OWA from the outside world.

UTM SGxxx, configured for smtp proxy, no ISP smart host

There is one website with a user enquiry form.

I have no test environment so I am loath to poke around too much. 

Questions:

Does exchange need the UTM nominated as a smart host and Why?

Does the UTM need to accept smtp auth from the internet for the outlook services described above?

  • if No? how do I turn it off (this question arises due to around 7 regular "Too many failed logins from xxx for facility smtp, blocked for 24hrs") but still allow the website enquiry form to pass.

Cheers

 



This thread was automatically locked due to age.
Parents
  • Authentication it is not needed for users. The purpose of it is: A user configured in UTM can Relay directly emails (send) skipping Exchange. But that it is not allowed by most company policy.

    You can put UTM as "send connector" in Exchange (smart host) and UTM will handle the email

  • The UTM is currently the smart host for exchange, super!

    The UTM is mostly configured as per Bob's setup post.

    My preference is to make the UTM do most of the work and leave exchange relatively normal.

    However, I do not understand why an external party/server would even be permitted to begin an smtp authentication, this seems wasteful and inelegant.

    • is this normal because the authentication will always fail. (and how do I have confidence this is true)
      • Is this handshake processing overhead better placed into another function of the UTM?
    • should the dubious IP address be entered somewhere to drop it at the firewall (or send it to a blackhole)?

    To prevent authentication attempts (presuming this is best practice to mitigate the smtp password guessing attacks) should "allow upstream/relay hosts only" be checked but have no listed entries, or does the check box imply a blanket function for the UTM?

    Cheers

  • Please show a picture of the section of the 'Relaying' tab that includes 'Authenticated Relay' and 'Host-based Relay'.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • What is the purpose of allowing "qcds-office" to relay off the Proxy?  That's the source of your error messages.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • What is the purpose of allowing "qcds-office" to relay off the Proxy?  That's the source of your error messages.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data