SPF reject messages flooding impersonated victim

Question

We have this scenario: 
 
 Bad actor uses some mail server: 192.0.2.25 
 Bad actor attempts to impersonate our CEO: ceo@example.com (spoofed) 
 Bad actor sends e-mails to our finance department and others: ceo@example.com > finance@example.com, ceo@example.com > hr@example.com, ... 
 Bad actor's mails get rejected by our UTM, because our own domain example.com does not list 192.0.2.25 as a legitimate sender 
 Our UTM notifies the sending mail server 192.0.2.25 about the rejected e-mail (due to SPF record checks) 
 Mail server 192.0.2.25 sends "Undelivered Mail Returned to Sender" to ceo@example.com 
 Our CEO gets flooded by those reject messages 
 
 Is there any way to utilize UTM to get rid of those reject notification floods? 
 Just to be clear: We are fully aware that in the scenario above, the mail server 192.0.2.25 is misconfigured (and probably hijacked by bad actors). Our published SPF records yield the desired result and the SPF checking of our UTM works as intended. 
 The problem is the backscatter that floods the impersonated victim.

DouglasFoster · Accepted Answer

The core problem is that UTM sends Non-Delivery Reports (NDRs), and the feature cannot be disabled. The direction from IETF is that NDRs should not be sent in reply to incoming mail; either you reject unwanted messages as they are being received, or you discard silently. The mail capability in UTM is weak. 
 I have concluded that the ideal environment is one with (at least) three mail components: 
 - inbound mail gateway 
 - mail server 
 - outbound mail gateway 
 In this configuration, I use my firewall to ensure that the incoming gateway cannot send outbound mail (port 25 is blocked). This prevents NDRs as well as ensuring that it cannot be used as additional assurance that it cannot be used as an open relay. 
 At my outbound gateway, I quarantine messages with subjects starting "Failed:" or "Undeliverable:". This captures NDRs generated by my mail servers without generating an NDR in return. You may be able to use other criteria, such as messages coming from postmaster@domain 
 How could UTM fit into this picture while still using both inbound and outbound features? Simplest approach is to add an outbound gateway. 
 Inbound flow: 
 
 Internet -> UTM SMTP proxy -> Mail server 
 
 Outbound flow: 
 
 Mail Server -> UTM SMTP Proxy -> Outbound Gateway -> Internet 
 
 with the Outbound gateway filtering NDRs based on Subject text or other criteria. 
 SmaterTools.com has a Windows-based mail server that can be used for free as an incoming or outgoing gateway. There are a bunch of Unix-based email systems that could also be used, including Exim (which is inside UTM) and PostFix.