This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SMTP from External Device

Hello,

in our installation, the UTM is configured as Host-based relay for our Exchange Server, which is the only allowed host for relaying. Now it's required to allow an dedicated external system to send mails from our smtp-domain, so I want to allow the external system to use the UTM to send mails.

I have to add the IP-address of the external system to allow relaying, are there any other options to make this more secure? I want to allow the external system to use the mail server with one dedicated sender address, is it possible to limit it?


Kind regards & thanks in advance



This thread was automatically locked due to age.
  • The remote device does not need to connect to your server to send mail that pretends to be you.   They just need the ability to send under your names, and you need to ensure that they are authorized by your SPF, DKIM, and/or DMARC policies.   

    Whether or not your published policies require a DKIM signature, I recommend giving them their own DKIM scope ID and DKIM keypair.   If they cannot do DKIM, I would suggest that they lack the minimum sophistication needed to be a third-party mailer.  If you do not have experience with DKIM, they should have the expertise and should be able to help you learn the ropes.  (It is not hard.)

    If they must connect to your server, I would recommend using a VPN tunnel to your mail server, not UTM.   I think there are security problems with any other approach.

  • DouglasFoster said:
    The remote device does not need to connect to your server to send mail that pretends to be you.   They just need the ability to send under your names, and you need to ensure that they are authorized by your SPF, DKIM, and/or DMARC policies.

    Yes, that was the other option in thoughts. I can extend our SPF record, but then I have no control over the mails. We don't use DKIM and DMARC and I am not familiar withit, so today SPF is the only option.

    DouglasFoster said:
    If they must connect to your server, I would recommend using a VPN tunnel to your mail server, not UTM.   I think there are security problems with any other approach.

    So using the UTM directly is insecure whether a vpn is used or not?

  • Why the external device doesn't use the exchange server behind UTM?

     

    If you dont want to use the Exchange Server, this option can be done if SMTP is configured in "Transparent Mode".
    Than the external device can use UTM as smarthost or send connector, with "Authenticated Users" option

  • Unknown said:
    Why the external device doesn't use the exchange server behind UTM?

    Today the external device has no vpn connection to our UTM, so the Exchange Server is not reachable.

    Unknown said:
    If you dont want to use the Exchange Server, this option can be done if SMTP is configured in "Transparent Mode".
    Than the external device can use UTM as smarthost or send connector, with "Authenticated Users" option

    I understand that transparent mode is to force smtp connections to use the smtp proxy?

    Basically my question can be reduced to this:

    Is it secure to allow a single external IP address to use the UTM as a relay although the device and the UTM are connected via internet and unencrypted.

  • I think it cannot be done without Transparent Mode.

  • You can use DNAT rule for the external device to reach the Exchange Server

    Why do you need VPN for this?

  • Your plan should work, assuming that the remote device connects using TLS.  

    I struggled with your idea because many devices can connect to your UTM using port 25, so how do you distinguish this device from the others?   But the difference is that you are going to tell UTM that this one IP address is a trusted relay, which is what will distinguish it from the other systems on the internet.

    You probably need to think about return path.   Will these messages get replies?   How will you handle undeliverable messages?

    You may want to estimate the volume of mail, to see if it creates any bandwidth concerns.   Every message will hit your ISP connection twice, once on the way in and once on the way out.  Assuming that the volume is not a concern, you should be fine.

  • I'm with DouglasFoster and think you should let the mailing service send directly and just add their IPs to your SPF record.  I'm uncomfortable letting an external entity relay through the UTM's SMTP Proxy or through a proprietary mail server.

    Cheers - Bob
    PS This wouldn't require transparent, oldeda.  I've done this with an organization that had proprietary mail servers in two different locations.

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA