smtp auth; who ,how, why and when?

I will try to clarify some of your confusion about protocols and features:

Every TCP conversation has a source and destination IP address which is used to route the packet.  It also has source and destination port which identify the sending and receiving programs, so the operating systems know how to deliver the packet when it arrives, and the receiving program knows how to reply.   To permit conversations to be started, processes that accept incoming connections (sometimes called daemons) listen on "Well known" port numbers, so that my machine can connect to yours without me calling first to ask you about your configuration.   Source port number values for the initiating program do not matter.   The program asks the operating system for a unique port number before it starts a conversation, and the other end reads the source port of the incoming packet to construct its reply.

Each communication type uses different port numbers.

Inbound Messages

Mail is transferred when a sending system connects to port 25 on a target server and starts an SMTP session.   This connection is unauthenticated (no login), and the server will accept mail from nearly anybody, as long as it is targeted to a mail domain that it controls.    Of course, in practice, the receiving system performs spam checks on the incoming traffic, but the point is that hotmail does not require a login for a gmail server to send a message to gmail.

Outbound Messages

Authenticated SMTP (optionally on port 25, but more often on port 465 or 587) is used for a client program to use a mail system to send a message to a mail domain that it does not control.   This is mostly used for email clients and for automated systems that need to send alarms.   For email clients, authenticated SMTP (which only sends mail) is paired with either IMAP or POP3 (protocols which only retrieve mail).  IMAP and POP have their own port numbers for both clear text and encrypted sessions.

If a system accepts traffic for mail domains that it does not control, this is an "open relay".   Spammers use open relays to hide their source address and let someone else suffer the consequences of their dirty work, so  you never want to create an open relay.

OWA and Outlook Anywhere are email clients written entirely in web protocols.   They should only be used with encryption, so you need to allow port 443 in your firewall.

My configuration recommendations:

• Alarming devices, email clients, and anything else that generates mail should send it to your mail server.   Some alarming systems cannot do authentication, so they need an exception for the receiving system to trust them based on the source IP.   But all of this traffic should be submitted to your mail server, not to UTM.
• UTM should not accept any authenticated SMTP traffic.   This opens the device to password guessing attacks from the internet, attacks which you do not need or want.

Smart Hosts

A Smart Host is any device which adds a hop to the email delivery sequence, presumably because it does some evaluation of the traffic related to either deliver routing or spam filtering.   In this sense, an Exchange Connector is a Smart Host.

UTMs add value in spam filtering, so it is desirable as a Smart Host.   Assuming that you agree, your message flow will be

Internet -- UTM --- Exchange Connector -- Exchange

In small environments, the Exchange Connector function runs on the Exchange server, so it does not add a hop.

So you want to configure your perimeter devices to force this traffic flow.

UTM should accept relay (outbound) from your Exchange server only.

UTM SMTP proxy should be on.

"qcds-office is the AD profile for the MFC to permit sending emails and saving to folders. In my view it only needs to send emails to internal users. this was configured by the installer of the SG115."

Agreed with the others, Simon, that you don't want 'Authenticated Relay' and that, normally, the only thing that should be allowed to relay is your Exchange box.  Look in the Mail Manager on the 'SMTP Log' tab.  Put the IP of the HP Printer in the 'IP/Net/Address/Subj. substring:' box and you will see if emails are coming from it.  Likewise, put the sender email address of the qcds-office user in that box to see if any emails were sent from an IP other than the Exchange server.  You may not need to come in on the weekend unless the printer needs to be configured to relay off Exchange.  I'm not sure that it's that important to change the settings on the HP printer - I'd probably just leave it relaying off the UTM.

Cheers - Bob

Olsi, when you have the Proxy in Transparent mode, is it possible for an internal workstation to send email to an external server if 25/465/587 are blocked by the firewall?

Cheers - Bob

If the internal Host is In "Allowed Relayed List", Yes

You have to exclude it from "Transparent" to make it subject of Firewall Rules.

It is like Country Blocking or Web Proxy Bob. Firewall

Rules are the last in hierarchy

Normaly the workstation traffic on this ports will be intercepted by "Trasnparent Mode" first, but he can't send nothing if it is not in "Allowed to Relay". Even if you have a firewall rule "workstation-any-to any-allow. You have to exclude it from transparent, so the Firewall/dnat rule will handle that traffic

Only for Bob to not confuse you

And here comes in place authenticated users for the most secure system. In realy tab you dont have any host (empty)

Create a user with strong password in UTM and put it in "authenticated relay"

Configure that user in the "Send Connector" of Exchange.

Now even a virus in the mailserver can do nothing, only the exchange program can send emails, not the IP or Host

That's a great idea, Olsi!  What do you do in the Exchange server?

Cheers - Bob

PS I'm still curious why Transparent helps and why it doesn't allow unauthenticated IPs to send to outside mail servers.

Because that is the purpose of Smarthost. Catch all the traffic for you, only Transparent mode can do it! You can regulate any ip or rule in Email Protection without the need of any firewall rule. Without Transparent mode you have to be a expert in firewall and Dnat rules and have a good memory. But there are more things. For example I didnt tested if smtp.hostname in UTM will be visible in Standart Mode

In Exchange only a antivirus to be sure and protecting internal users from each other.

Hello,

I unchecked smtp authenticated relaying... and the sky didn't fall on my head and email continues to flow normally.

I created an Rx connector just for the MFP and it can email the domain users and still scan to folders.

I'll review the smtp logs for those nefarious smtp login attempts or anything else untoward.

I grateful to you all for your comments and guidance, even the ones that went straight and high over my head... I'll do my best to learn what they mean.

cheers and thank you

Simon