This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Open relay problem

We are using UTM as our mail gateway, lately, a lot of our users have received spoofing emails that appear from themself.

We use emailspooftest dotcom site to test our mail servers, and it detects the problem was 

Internal authentication is not enforced.

Fix: On inbound email gateways, only allow specific IP addresses to send mail from internal domains or force an auth challenge for internal domains. This is typically a relay setting.

Could anyone suggest how to fix this problem in Sophos? 



This thread was automatically locked due to age.
Parents
  • We have SPF check enabled, it seems that Sophos UTM doesn't enforce relay authentication check, which makes our server an open relay.

    This is the spoofing email header that looks like

    Received: from EX2016-MDB-C.MYDOMAIN.Hosted (10.2.4.212) by
     EX2016-MDB-C.MYDOMAIN.Hosted (10.2.4.212) with Microsoft SMTP Server
     (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.8
     via Mailbox Transport; Wed, 4 May 2022 04:16:58 +1000
    Received: from EX2016-MDB-AN.MYDOMAIN.Hosted (10.2.2.129) by
     EX2016-MDB-C.MYDOMAIN.Hosted (10.2.4.212) with Microsoft SMTP Server
     (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
     15.1.2308.8; Wed, 4 May 2022 04:16:58 +1000
    Received: from ip-1xxxxxxxx-2.compute.internal (10.2.6.109) by
     EX2016-MDB-AN.MYDOMAIN.Hosted (10.2.2.129) with Microsoft SMTP Server
     (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2308.8
     via Frontend Transport; Wed, 4 May 2022 04:17:40 +1000
    Received: from [10.2.6.120] (helo=mail.MYDOMAIN.net)
    	by ip-1xxxxxxxx-2.compute.internal with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
    	(Exim 4.90_1)
    	(envelope-from <lxxxxx@xxxxx.com>)
    	id 1nlx5g-0003dL-JJ
    	for lxxxxx@xxxxx.com; Wed, 04 May 2022 04:17:40 +1000
    Received: from mail.ghfhgdg.com ([85.239.34.13]:33068)
    	by mail.MYDOMAIN.net with esmtps  (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    	(Exim 4.95)
    	(envelope-from <lxxxxx@xxxxx.com>)
    	id 1nlx5X-00057p-2m
    	for lxxxxx@xxxxx.com;
    	Wed, 04 May 2022 04:17:32 +1000
    Received: from ip63.ip-51-91-202.eu ([51.91.202.63]:53416 helo=galsan.com)
    	by mail.ghfhgdg.com with esmtpsa  (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    	(Exim 4.95)
    	(envelope-from <lxxxxx@xxxxx.com>)
    	id 1nlx5V-0007v8-Vs
    	for lxxxxx@xxxxx.com;
    	Tue, 03 May 2022 21:17:28 +0300
    X-SASI-Hits: BODYTEXTH_SIZE_3000_MORE 0.000000,
    	BODYTEXTP_SIZE_3000_LESS 0.000000, BODYTEXTP_SIZE_400_LESS 0.000000,
    	BODY_SIZE_10000_PLUS 0.000000, BODY_SIZE_25K_PLUS 0.000000,
    	EXCESSIVE_SUBDOMAINS7 3.000000, FRAUD_ATTACH 0.050000,
    	FROM_NAME_ALLCAPS 0.100000, FROM_RCPT_DOMAIN_NOT_IN_RCVD 0.000000,
    	FROM_SAME_AS_TO_DOMAIN 0.000000, HTML_90_100 0.100000, HTML_95_100 0.100000,
    	IMGSPAM_TABLE_1 0.000000, NO_FUR_HEADER 0.000000, NO_URI_HTTPS 0.000000,
    	OUTBOUND 0.000000, OUTBOUND_SOPHOS 0.000000, SENDER_NO_AUTH 0.000000,
    	SINGLE_HREF_URI_IN_BODY 0.000000, SINGLE_HREF_URI_WITH_EMAIL 0.000000,
    	__ANY_URI 0.000000, __ATTACHMENT_PHRASE 0.000000, __BODY_NO_MAILTO 0.000000,
    	__BULK_NEGATE 0.000000, __CSHC_NS_B_FN_FA 0.000000, __CT 0.000000,
    	__CTYPE_HAS_BOUNDARY 0.000000, __CTYPE_MULTIPART 0.000000,
    	__CTYPE_MULTIPART_ALT 0.000000, __DATA_URL_SCHEME 0.000000,
    	__DATE_TZ_HK 0.000000, __DQ_NEG_DOMAIN 0.000000, __DQ_NEG_HEUR 0.000000,
    	__DQ_NEG_IP 0.000000, __EXCESSIVE_SUBDOMAINS6 0.000000,
    	__EXCESSIVE_SUBDOMAINS7 0.000000, __FAX_BODY 0.000000,
    	__FILESHARE_PHRASE 0.000000, __FRAUD_ANTIABUSE 0.000000,
    	__FROM_DOMAIN_IN_ANY_TO1 0.000000, __FROM_DOMAIN_IN_RCPT 0.000000,
    	__FROM_NAME_NOT_IN_ADDR 0.000000, __FROM_NAME_NOT_IN_BODY 0.000000,
    	__FUR_RDNS_SOPHOS 0.000000, __HAS_FROM 0.000000, __HAS_HTML 0.000000,
    	__HAS_MSGID 0.000000, __HTML_AHREF_TAG 0.000000, __HTML_BAD_END 0.000000,
    	__HTML_TAG_CENTER 0.000000, __HTML_TAG_IMG_X2 0.000000,
    	__HTML_TAG_TABLE 0.000000, __IMGSPAM_TABLE_1 0.000000,
    	__IMG_THEN_TEXT 0.000000, __MIME_HTML 0.000000, __MIME_TEXT_H 0.000000,
    	__MIME_TEXT_H1 0.000000, __MIME_TEXT_H2 0.000000, __MIME_TEXT_P 0.000000,
    	__MIME_TEXT_P1 0.000000, __MIME_TEXT_P2 0.000000, __MIME_VERSION 0.000000,
    	__MULTIPLE_URI_TEXT 0.000000, __OUTBOUND_SOPHOS_FUR 0.000000,
    	__OUTBOUND_SOPHOS_FUR_IP 0.000000, __OUTBOUND_SOPHOS_FUR_RDNS 0.000000,
    	__PHISH_PHRASE10_D 0.000000, __RCPT_DOMAIN_IS_FROM_DOMAIN 0.000000,
    	__SANE_MSGID 0.000000, __SUBJ_ALPHA_END 0.000000, __TAG_EXISTS_HTML 0.000000,
    	__TO_DOMAIN_IN_FROM 0.000000, __TO_DOMAIN_IN_MSGID 0.000000,
    	__TO_MALFORMED_2 0.000000, __TO_NO_NAME 0.000000,
    	__URI_EMAIL_IN_QUERY 0.000000, __URI_IN_BODY 0.000000, __URI_MAILTO 0.000000,
    	__URI_NOT_IMG 0.000000, __URI_NO_PATH 0.000000, __URI_NO_WWW 0.000000,
    	__URI_NS 0.000000, __URI_WITHOUT_PATH 0.000000
    X-SASI-Probability: 30%
    X-SASI-RCODE: 200
    X-SASI-Version: Antispam-Engine: 4.1.4, AntispamData: 2022.5.3.173622
    From: HOA ORDERS <lxxxxx@xxxxx.com>
    To: <lxxxxx@xxxxx.com>
    Subject: Requested HOA Letter
    Date: Wed, 4 May 2022 02:17:27 +0800
    Message-ID: <20220504021727.BFD45D6D250BF3FA@xxxxx.com>
    MIME-Version: 1.0
    Content-Type: multipart/alternative;
    	boundary="----=_NextPart_000_0012_1F95ED89.02DDA1DF"
    X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
    X-AntiAbuse: Primary Hostname - mail.ghfhgdg.com
    X-AntiAbuse: Original Domain - xxxxx.com
    X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
    X-AntiAbuse: Sender Address Domain - xxxxx.com
    X-Get-Message-Sender-Via: mail.ghfhgdg.com: authenticated_id: dennis@ghfhgdg.com
    X-Authenticated-Sender: mail.ghfhgdg.com: dennis@ghfhgdg.com
    X-Source:
    X-Source-Args:
    X-Source-Dir:
    Return-Path: lxxxxx@xxxxx.com
    X-MS-Exchange-Organization-Network-Message-Id: 2be4961d-c269-4b3a-e3f4-08da2d3135da
    X-MS-Exchange-Organization-AVStamp-Enterprise: 1.0
    X-MS-Exchange-Organization-AuthSource: EX2016-MDB-AN.MYDOMAIN.Hosted
    X-MS-Exchange-Organization-AuthAs: Anonymous
    X-MS-Exchange-Processed-By-BccFoldering: 15.01.2308.008

Reply
  • We have SPF check enabled, it seems that Sophos UTM doesn't enforce relay authentication check, which makes our server an open relay.

    This is the spoofing email header that looks like

    Received: from EX2016-MDB-C.MYDOMAIN.Hosted (10.2.4.212) by
     EX2016-MDB-C.MYDOMAIN.Hosted (10.2.4.212) with Microsoft SMTP Server
     (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.8
     via Mailbox Transport; Wed, 4 May 2022 04:16:58 +1000
    Received: from EX2016-MDB-AN.MYDOMAIN.Hosted (10.2.2.129) by
     EX2016-MDB-C.MYDOMAIN.Hosted (10.2.4.212) with Microsoft SMTP Server
     (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
     15.1.2308.8; Wed, 4 May 2022 04:16:58 +1000
    Received: from ip-1xxxxxxxx-2.compute.internal (10.2.6.109) by
     EX2016-MDB-AN.MYDOMAIN.Hosted (10.2.2.129) with Microsoft SMTP Server
     (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2308.8
     via Frontend Transport; Wed, 4 May 2022 04:17:40 +1000
    Received: from [10.2.6.120] (helo=mail.MYDOMAIN.net)
    	by ip-1xxxxxxxx-2.compute.internal with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
    	(Exim 4.90_1)
    	(envelope-from <lxxxxx@xxxxx.com>)
    	id 1nlx5g-0003dL-JJ
    	for lxxxxx@xxxxx.com; Wed, 04 May 2022 04:17:40 +1000
    Received: from mail.ghfhgdg.com ([85.239.34.13]:33068)
    	by mail.MYDOMAIN.net with esmtps  (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    	(Exim 4.95)
    	(envelope-from <lxxxxx@xxxxx.com>)
    	id 1nlx5X-00057p-2m
    	for lxxxxx@xxxxx.com;
    	Wed, 04 May 2022 04:17:32 +1000
    Received: from ip63.ip-51-91-202.eu ([51.91.202.63]:53416 helo=galsan.com)
    	by mail.ghfhgdg.com with esmtpsa  (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    	(Exim 4.95)
    	(envelope-from <lxxxxx@xxxxx.com>)
    	id 1nlx5V-0007v8-Vs
    	for lxxxxx@xxxxx.com;
    	Tue, 03 May 2022 21:17:28 +0300
    X-SASI-Hits: BODYTEXTH_SIZE_3000_MORE 0.000000,
    	BODYTEXTP_SIZE_3000_LESS 0.000000, BODYTEXTP_SIZE_400_LESS 0.000000,
    	BODY_SIZE_10000_PLUS 0.000000, BODY_SIZE_25K_PLUS 0.000000,
    	EXCESSIVE_SUBDOMAINS7 3.000000, FRAUD_ATTACH 0.050000,
    	FROM_NAME_ALLCAPS 0.100000, FROM_RCPT_DOMAIN_NOT_IN_RCVD 0.000000,
    	FROM_SAME_AS_TO_DOMAIN 0.000000, HTML_90_100 0.100000, HTML_95_100 0.100000,
    	IMGSPAM_TABLE_1 0.000000, NO_FUR_HEADER 0.000000, NO_URI_HTTPS 0.000000,
    	OUTBOUND 0.000000, OUTBOUND_SOPHOS 0.000000, SENDER_NO_AUTH 0.000000,
    	SINGLE_HREF_URI_IN_BODY 0.000000, SINGLE_HREF_URI_WITH_EMAIL 0.000000,
    	__ANY_URI 0.000000, __ATTACHMENT_PHRASE 0.000000, __BODY_NO_MAILTO 0.000000,
    	__BULK_NEGATE 0.000000, __CSHC_NS_B_FN_FA 0.000000, __CT 0.000000,
    	__CTYPE_HAS_BOUNDARY 0.000000, __CTYPE_MULTIPART 0.000000,
    	__CTYPE_MULTIPART_ALT 0.000000, __DATA_URL_SCHEME 0.000000,
    	__DATE_TZ_HK 0.000000, __DQ_NEG_DOMAIN 0.000000, __DQ_NEG_HEUR 0.000000,
    	__DQ_NEG_IP 0.000000, __EXCESSIVE_SUBDOMAINS6 0.000000,
    	__EXCESSIVE_SUBDOMAINS7 0.000000, __FAX_BODY 0.000000,
    	__FILESHARE_PHRASE 0.000000, __FRAUD_ANTIABUSE 0.000000,
    	__FROM_DOMAIN_IN_ANY_TO1 0.000000, __FROM_DOMAIN_IN_RCPT 0.000000,
    	__FROM_NAME_NOT_IN_ADDR 0.000000, __FROM_NAME_NOT_IN_BODY 0.000000,
    	__FUR_RDNS_SOPHOS 0.000000, __HAS_FROM 0.000000, __HAS_HTML 0.000000,
    	__HAS_MSGID 0.000000, __HTML_AHREF_TAG 0.000000, __HTML_BAD_END 0.000000,
    	__HTML_TAG_CENTER 0.000000, __HTML_TAG_IMG_X2 0.000000,
    	__HTML_TAG_TABLE 0.000000, __IMGSPAM_TABLE_1 0.000000,
    	__IMG_THEN_TEXT 0.000000, __MIME_HTML 0.000000, __MIME_TEXT_H 0.000000,
    	__MIME_TEXT_H1 0.000000, __MIME_TEXT_H2 0.000000, __MIME_TEXT_P 0.000000,
    	__MIME_TEXT_P1 0.000000, __MIME_TEXT_P2 0.000000, __MIME_VERSION 0.000000,
    	__MULTIPLE_URI_TEXT 0.000000, __OUTBOUND_SOPHOS_FUR 0.000000,
    	__OUTBOUND_SOPHOS_FUR_IP 0.000000, __OUTBOUND_SOPHOS_FUR_RDNS 0.000000,
    	__PHISH_PHRASE10_D 0.000000, __RCPT_DOMAIN_IS_FROM_DOMAIN 0.000000,
    	__SANE_MSGID 0.000000, __SUBJ_ALPHA_END 0.000000, __TAG_EXISTS_HTML 0.000000,
    	__TO_DOMAIN_IN_FROM 0.000000, __TO_DOMAIN_IN_MSGID 0.000000,
    	__TO_MALFORMED_2 0.000000, __TO_NO_NAME 0.000000,
    	__URI_EMAIL_IN_QUERY 0.000000, __URI_IN_BODY 0.000000, __URI_MAILTO 0.000000,
    	__URI_NOT_IMG 0.000000, __URI_NO_PATH 0.000000, __URI_NO_WWW 0.000000,
    	__URI_NS 0.000000, __URI_WITHOUT_PATH 0.000000
    X-SASI-Probability: 30%
    X-SASI-RCODE: 200
    X-SASI-Version: Antispam-Engine: 4.1.4, AntispamData: 2022.5.3.173622
    From: HOA ORDERS <lxxxxx@xxxxx.com>
    To: <lxxxxx@xxxxx.com>
    Subject: Requested HOA Letter
    Date: Wed, 4 May 2022 02:17:27 +0800
    Message-ID: <20220504021727.BFD45D6D250BF3FA@xxxxx.com>
    MIME-Version: 1.0
    Content-Type: multipart/alternative;
    	boundary="----=_NextPart_000_0012_1F95ED89.02DDA1DF"
    X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
    X-AntiAbuse: Primary Hostname - mail.ghfhgdg.com
    X-AntiAbuse: Original Domain - xxxxx.com
    X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
    X-AntiAbuse: Sender Address Domain - xxxxx.com
    X-Get-Message-Sender-Via: mail.ghfhgdg.com: authenticated_id: dennis@ghfhgdg.com
    X-Authenticated-Sender: mail.ghfhgdg.com: dennis@ghfhgdg.com
    X-Source:
    X-Source-Args:
    X-Source-Dir:
    Return-Path: lxxxxx@xxxxx.com
    X-MS-Exchange-Organization-Network-Message-Id: 2be4961d-c269-4b3a-e3f4-08da2d3135da
    X-MS-Exchange-Organization-AVStamp-Enterprise: 1.0
    X-MS-Exchange-Organization-AuthSource: EX2016-MDB-AN.MYDOMAIN.Hosted
    X-MS-Exchange-Organization-AuthAs: Anonymous
    X-MS-Exchange-Processed-By-BccFoldering: 15.01.2308.008

Children