This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

smtp auth; who ,how, why and when?

Hello,

Using exchange 2010

2x Rx connectors

  • internal network
  • gateway, anonymous permissions only.

All users use Outlook, some users work from home, most users have email on their phones. Occasionally I use OWA from the outside world.

UTM SGxxx, configured for smtp proxy, no ISP smart host

There is one website with a user enquiry form.

I have no test environment so I am loath to poke around too much. 

Questions:

Does exchange need the UTM nominated as a smart host and Why?

Does the UTM need to accept smtp auth from the internet for the outlook services described above?

  • if No? how do I turn it off (this question arises due to around 7 regular "Too many failed logins from xxx for facility smtp, blocked for 24hrs") but still allow the website enquiry form to pass.

Cheers

 



This thread was automatically locked due to age.
Parents
  • We have a disagreement with Bob about using Standart mode or Transparent mode. But consider my recomandation below  if  Exchange Server is the only one who will send emails to the outside world. And if you said that you want the best from UTM and make it a real Smarthost

    1 Check Transparent Mode

    2 In relaying tab, put only exchange IP

    3 Delete or Disable any firewall rule about SMTP

    4 Delete any DNAT rules about SMTP

    Don't confuse smtp rules with OWA access (https 443 with SMTP 25

    You can still leave the rules active, but they are useless while "Transparent Mode" is enabled, and they will confuse you, not UTM.

    To regulate traffic for one specific host-ip (like scanner or printer) with firewall rules, you have to exclude it from Transparent Mode.

    There you have the option to blacklist a specific host, no need to make firewall rule to drop traffic on smtp traffic for that specific host

    Thats it :)

  • Olsi, when you have the Proxy in Transparent mode, is it possible for an internal workstation to send email to an external server if 25/465/587 are blocked by the firewall?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • If the internal Host is In "Allowed Relayed List", Yes

    You have to exclude it from "Transparent" to make it subject of Firewall Rules.

    It is like Country Blocking or Web Proxy Bob. Firewall

    Rules are the last in hierarchy

  • Normaly the workstation traffic on this ports will be intercepted by "Trasnparent Mode" first, but he can't send nothing if it is not in "Allowed to Relay". Even if you have a firewall rule "workstation-any-to any-allow. You have to exclude it from transparent, so the Firewall/dnat rule will handle that traffic

  • Only for Bob to not confuse you

    And here comes in place authenticated users for the most secure system. In realy tab you dont have any host (empty)

    Create a user with strong password in UTM and put it in "authenticated relay"

    Configure that user in the "Send Connector" of Exchange.

    Now even a virus in the mailserver can do nothing, only the exchange program can send emails, not the IP or Host

Reply
  • Only for Bob to not confuse you

    And here comes in place authenticated users for the most secure system. In realy tab you dont have any host (empty)

    Create a user with strong password in UTM and put it in "authenticated relay"

    Configure that user in the "Send Connector" of Exchange.

    Now even a virus in the mailserver can do nothing, only the exchange program can send emails, not the IP or Host

Children
  • That's a great idea, Olsi!  What do you do in the Exchange server?

    Cheers - Bob

    PS I'm still curious why Transparent helps and why it doesn't allow unauthenticated IPs to send to outside mail servers.

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Because that is the purpose of Smarthost. Catch all the traffic for you, only Transparent mode can do it! You can regulate any ip or rule in Email Protection without the need of any firewall rule. Without Transparent mode you have to be a expert in firewall and Dnat rules and have a good memory. But there are more things. For example I didnt tested if smtp.hostname in UTM will be visible in Standart Mode

    In Exchange only a antivirus to be sure and protecting internal users from each other.

  • Hello,

    I unchecked smtp authenticated relaying... and the sky didn't fall on my head and email continues to flow normally.

    I created an Rx connector just for the MFP and it can email the domain users and still scan to folders.

    I'll review the smtp logs for those nefarious smtp login attempts or anything else untoward.

     

    I grateful to you all for your comments and guidance, even the ones that went straight and high over my head... I'll do my best to learn what they mean.

    cheers and thank you

    Simon