This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SMTP from External Device

Hello,

in our installation, the UTM is configured as Host-based relay for our Exchange Server, which is the only allowed host for relaying. Now it's required to allow an dedicated external system to send mails from our smtp-domain, so I want to allow the external system to use the UTM to send mails.

I have to add the IP-address of the external system to allow relaying, are there any other options to make this more secure? I want to allow the external system to use the mail server with one dedicated sender address, is it possible to limit it?


Kind regards & thanks in advance



This thread was automatically locked due to age.
Parents
  • The remote device does not need to connect to your server to send mail that pretends to be you.   They just need the ability to send under your names, and you need to ensure that they are authorized by your SPF, DKIM, and/or DMARC policies.   

    Whether or not your published policies require a DKIM signature, I recommend giving them their own DKIM scope ID and DKIM keypair.   If they cannot do DKIM, I would suggest that they lack the minimum sophistication needed to be a third-party mailer.  If you do not have experience with DKIM, they should have the expertise and should be able to help you learn the ropes.  (It is not hard.)

    If they must connect to your server, I would recommend using a VPN tunnel to your mail server, not UTM.   I think there are security problems with any other approach.

  • DouglasFoster said:
    The remote device does not need to connect to your server to send mail that pretends to be you.   They just need the ability to send under your names, and you need to ensure that they are authorized by your SPF, DKIM, and/or DMARC policies.

    Yes, that was the other option in thoughts. I can extend our SPF record, but then I have no control over the mails. We don't use DKIM and DMARC and I am not familiar withit, so today SPF is the only option.

    DouglasFoster said:
    If they must connect to your server, I would recommend using a VPN tunnel to your mail server, not UTM.   I think there are security problems with any other approach.

    So using the UTM directly is insecure whether a vpn is used or not?

Reply
  • DouglasFoster said:
    The remote device does not need to connect to your server to send mail that pretends to be you.   They just need the ability to send under your names, and you need to ensure that they are authorized by your SPF, DKIM, and/or DMARC policies.

    Yes, that was the other option in thoughts. I can extend our SPF record, but then I have no control over the mails. We don't use DKIM and DMARC and I am not familiar withit, so today SPF is the only option.

    DouglasFoster said:
    If they must connect to your server, I would recommend using a VPN tunnel to your mail server, not UTM.   I think there are security problems with any other approach.

    So using the UTM directly is insecure whether a vpn is used or not?

Children
  • I'm with DouglasFoster and think you should let the mailing service send directly and just add their IPs to your SPF record.  I'm uncomfortable letting an external entity relay through the UTM's SMTP Proxy or through a proprietary mail server.

    Cheers - Bob
    PS This wouldn't require transparent, oldeda.  I've done this with an organization that had proprietary mail servers in two different locations.

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA