SPF reject messages flooding impersonated victim

The core problem is that UTM sends Non-Delivery Reports (NDRs), and the feature cannot be disabled.    The direction from IETF is that NDRs should not be sent in reply to incoming mail; either you reject unwanted messages as they are being received, or you discard silently.    The mail capability in UTM is weak.

I have concluded that the ideal environment is one with (at least) three mail components:

- inbound mail gateway

- mail server

- outbound mail gateway

In this configuration, I use my firewall to ensure that the incoming gateway cannot send outbound mail (port 25 is blocked).   This prevents NDRs as well as ensuring that it cannot be used as additional assurance that it cannot be used as an open relay.

At my outbound gateway, I quarantine messages with subjects starting "Failed:" or "Undeliverable:".   This captures NDRs generated by my mail servers without generating an NDR in return.  You may be able to use other criteria, such as messages coming from postmaster@domain

How could UTM fit into this picture while still using both inbound and outbound features?  Simplest approach is to add an outbound gateway.

Inbound flow:

• Internet -> UTM SMTP proxy -> Mail server

Outbound flow:

• Mail Server -> UTM SMTP Proxy -> Outbound Gateway -> Internet

with the Outbound gateway filtering NDRs based on Subject text or other criteria.

SmaterTools.com has a Windows-based mail server that can be used for free as an incoming or outgoing gateway.   There are a bunch of Unix-based email systems that could also be used, including Exim (which is inside UTM) and PostFix.

The core problem is that UTM sends Non-Delivery Reports (NDRs), and the feature cannot be disabled.    The direction from IETF is that NDRs should not be sent in reply to incoming mail; either you reject unwanted messages as they are being received, or you discard silently.    The mail capability in UTM is weak.

I have concluded that the ideal environment is one with (at least) three mail components:

- inbound mail gateway

- mail server

- outbound mail gateway

In this configuration, I use my firewall to ensure that the incoming gateway cannot send outbound mail (port 25 is blocked).   This prevents NDRs as well as ensuring that it cannot be used as additional assurance that it cannot be used as an open relay.

At my outbound gateway, I quarantine messages with subjects starting "Failed:" or "Undeliverable:".   This captures NDRs generated by my mail servers without generating an NDR in return.  You may be able to use other criteria, such as messages coming from postmaster@domain

How could UTM fit into this picture while still using both inbound and outbound features?  Simplest approach is to add an outbound gateway.

Inbound flow:

• Internet -> UTM SMTP proxy -> Mail server

Outbound flow:

• Mail Server -> UTM SMTP Proxy -> Outbound Gateway -> Internet

with the Outbound gateway filtering NDRs based on Subject text or other criteria.

SmaterTools.com has a Windows-based mail server that can be used for free as an incoming or outgoing gateway.   There are a bunch of Unix-based email systems that could also be used, including Exim (which is inside UTM) and PostFix.