Open relay problem

We are using UTM as our mail gateway, lately, a lot of our users have received spoofing emails that appear from themself.

We use emailspooftest dotcom site to test our mail servers, and it detects the problem was 

Internal authentication is not enforced.

Fix: On inbound email gateways, only allow specific IP addresses to send mail from internal domains or force an auth challenge for internal domains. This is typically a relay setting.

Could anyone suggest how to fix this problem in Sophos? 

Parents
  • We have SPF check enabled, it seems that Sophos UTM doesn't enforce relay authentication check, which makes our server an open relay.

    This is the spoofing email header that looks like

    Received: from EX2016-MDB-C.MYDOMAIN.Hosted (10.2.4.212) by
     EX2016-MDB-C.MYDOMAIN.Hosted (10.2.4.212) with Microsoft SMTP Server
     (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.8
     via Mailbox Transport; Wed, 4 May 2022 04:16:58 +1000
    Received: from EX2016-MDB-AN.MYDOMAIN.Hosted (10.2.2.129) by
     EX2016-MDB-C.MYDOMAIN.Hosted (10.2.4.212) with Microsoft SMTP Server
     (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
     15.1.2308.8; Wed, 4 May 2022 04:16:58 +1000
    Received: from ip-1xxxxxxxx-2.compute.internal (10.2.6.109) by
     EX2016-MDB-AN.MYDOMAIN.Hosted (10.2.2.129) with Microsoft SMTP Server
     (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2308.8
     via Frontend Transport; Wed, 4 May 2022 04:17:40 +1000
    Received: from [10.2.6.120] (helo=mail.MYDOMAIN.net)
    	by ip-1xxxxxxxx-2.compute.internal with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
    	(Exim 4.90_1)
    	(envelope-from <lxxxxx@xxxxx.com>)
    	id 1nlx5g-0003dL-JJ
    	for lxxxxx@xxxxx.com; Wed, 04 May 2022 04:17:40 +1000
    Received: from mail.ghfhgdg.com ([85.239.34.13]:33068)
    	by mail.MYDOMAIN.net with esmtps  (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    	(Exim 4.95)
    	(envelope-from <lxxxxx@xxxxx.com>)
    	id 1nlx5X-00057p-2m
    	for lxxxxx@xxxxx.com;
    	Wed, 04 May 2022 04:17:32 +1000
    Received: from ip63.ip-51-91-202.eu ([51.91.202.63]:53416 helo=galsan.com)
    	by mail.ghfhgdg.com with esmtpsa  (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    	(Exim 4.95)
    	(envelope-from <lxxxxx@xxxxx.com>)
    	id 1nlx5V-0007v8-Vs
    	for lxxxxx@xxxxx.com;
    	Tue, 03 May 2022 21:17:28 +0300
    X-SASI-Hits: BODYTEXTH_SIZE_3000_MORE 0.000000,
    	BODYTEXTP_SIZE_3000_LESS 0.000000, BODYTEXTP_SIZE_400_LESS 0.000000,
    	BODY_SIZE_10000_PLUS 0.000000, BODY_SIZE_25K_PLUS 0.000000,
    	EXCESSIVE_SUBDOMAINS7 3.000000, FRAUD_ATTACH 0.050000,
    	FROM_NAME_ALLCAPS 0.100000, FROM_RCPT_DOMAIN_NOT_IN_RCVD 0.000000,
    	FROM_SAME_AS_TO_DOMAIN 0.000000, HTML_90_100 0.100000, HTML_95_100 0.100000,
    	IMGSPAM_TABLE_1 0.000000, NO_FUR_HEADER 0.000000, NO_URI_HTTPS 0.000000,
    	OUTBOUND 0.000000, OUTBOUND_SOPHOS 0.000000, SENDER_NO_AUTH 0.000000,
    	SINGLE_HREF_URI_IN_BODY 0.000000, SINGLE_HREF_URI_WITH_EMAIL 0.000000,
    	__ANY_URI 0.000000, __ATTACHMENT_PHRASE 0.000000, __BODY_NO_MAILTO 0.000000,
    	__BULK_NEGATE 0.000000, __CSHC_NS_B_FN_FA 0.000000, __CT 0.000000,
    	__CTYPE_HAS_BOUNDARY 0.000000, __CTYPE_MULTIPART 0.000000,
    	__CTYPE_MULTIPART_ALT 0.000000, __DATA_URL_SCHEME 0.000000,
    	__DATE_TZ_HK 0.000000, __DQ_NEG_DOMAIN 0.000000, __DQ_NEG_HEUR 0.000000,
    	__DQ_NEG_IP 0.000000, __EXCESSIVE_SUBDOMAINS6 0.000000,
    	__EXCESSIVE_SUBDOMAINS7 0.000000, __FAX_BODY 0.000000,
    	__FILESHARE_PHRASE 0.000000, __FRAUD_ANTIABUSE 0.000000,
    	__FROM_DOMAIN_IN_ANY_TO1 0.000000, __FROM_DOMAIN_IN_RCPT 0.000000,
    	__FROM_NAME_NOT_IN_ADDR 0.000000, __FROM_NAME_NOT_IN_BODY 0.000000,
    	__FUR_RDNS_SOPHOS 0.000000, __HAS_FROM 0.000000, __HAS_HTML 0.000000,
    	__HAS_MSGID 0.000000, __HTML_AHREF_TAG 0.000000, __HTML_BAD_END 0.000000,
    	__HTML_TAG_CENTER 0.000000, __HTML_TAG_IMG_X2 0.000000,
    	__HTML_TAG_TABLE 0.000000, __IMGSPAM_TABLE_1 0.000000,
    	__IMG_THEN_TEXT 0.000000, __MIME_HTML 0.000000, __MIME_TEXT_H 0.000000,
    	__MIME_TEXT_H1 0.000000, __MIME_TEXT_H2 0.000000, __MIME_TEXT_P 0.000000,
    	__MIME_TEXT_P1 0.000000, __MIME_TEXT_P2 0.000000, __MIME_VERSION 0.000000,
    	__MULTIPLE_URI_TEXT 0.000000, __OUTBOUND_SOPHOS_FUR 0.000000,
    	__OUTBOUND_SOPHOS_FUR_IP 0.000000, __OUTBOUND_SOPHOS_FUR_RDNS 0.000000,
    	__PHISH_PHRASE10_D 0.000000, __RCPT_DOMAIN_IS_FROM_DOMAIN 0.000000,
    	__SANE_MSGID 0.000000, __SUBJ_ALPHA_END 0.000000, __TAG_EXISTS_HTML 0.000000,
    	__TO_DOMAIN_IN_FROM 0.000000, __TO_DOMAIN_IN_MSGID 0.000000,
    	__TO_MALFORMED_2 0.000000, __TO_NO_NAME 0.000000,
    	__URI_EMAIL_IN_QUERY 0.000000, __URI_IN_BODY 0.000000, __URI_MAILTO 0.000000,
    	__URI_NOT_IMG 0.000000, __URI_NO_PATH 0.000000, __URI_NO_WWW 0.000000,
    	__URI_NS 0.000000, __URI_WITHOUT_PATH 0.000000
    X-SASI-Probability: 30%
    X-SASI-RCODE: 200
    X-SASI-Version: Antispam-Engine: 4.1.4, AntispamData: 2022.5.3.173622
    From: HOA ORDERS <lxxxxx@xxxxx.com>
    To: <lxxxxx@xxxxx.com>
    Subject: Requested HOA Letter
    Date: Wed, 4 May 2022 02:17:27 +0800
    Message-ID: <20220504021727.BFD45D6D250BF3FA@xxxxx.com>
    MIME-Version: 1.0
    Content-Type: multipart/alternative;
    	boundary="----=_NextPart_000_0012_1F95ED89.02DDA1DF"
    X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
    X-AntiAbuse: Primary Hostname - mail.ghfhgdg.com
    X-AntiAbuse: Original Domain - xxxxx.com
    X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
    X-AntiAbuse: Sender Address Domain - xxxxx.com
    X-Get-Message-Sender-Via: mail.ghfhgdg.com: authenticated_id: dennis@ghfhgdg.com
    X-Authenticated-Sender: mail.ghfhgdg.com: dennis@ghfhgdg.com
    X-Source:
    X-Source-Args:
    X-Source-Dir:
    Return-Path: lxxxxx@xxxxx.com
    X-MS-Exchange-Organization-Network-Message-Id: 2be4961d-c269-4b3a-e3f4-08da2d3135da
    X-MS-Exchange-Organization-AVStamp-Enterprise: 1.0
    X-MS-Exchange-Organization-AuthSource: EX2016-MDB-AN.MYDOMAIN.Hosted
    X-MS-Exchange-Organization-AuthAs: Anonymous
    X-MS-Exchange-Processed-By-BccFoldering: 15.01.2308.008

  • Are you sure that you have -all instead of ~all in your DNS SPF record?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply Children
No Data