Sophos UTM: Decommissioning of obsolete URL categorization services CFFS. Click here for important info.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 4 subscribers
  • Views 1497 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Open relay problem

Johnny Long

We are using UTM as our mail gateway, lately, a lot of our users have received spoofing emails that appear from themself.

We use emailspooftest dotcom site to test our mail servers, and it detects the problem was 

Internal authentication is not enforced.

Fix: On inbound email gateways, only allow specific IP addresses to send mail from internal domains or force an auth challenge for internal domains. This is typically a relay setting.

Could anyone suggest how to fix this problem in Sophos? 



This thread was automatically locked due to age.
Parents
  • 0

    We have SPF check enabled, it seems that Sophos UTM doesn't enforce relay authentication check, which makes our server an open relay.

    This is the spoofing email header that looks like

    Received: from EX2016-MDB-C.MYDOMAIN.Hosted (10.2.4.212) by
 EX2016-MDB-C.MYDOMAIN.Hosted (10.2.4.212) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.8
 via Mailbox Transport; Wed, 4 May 2022 04:16:58 +1000
Received: from EX2016-MDB-AN.MYDOMAIN.Hosted (10.2.2.129) by
 EX2016-MDB-C.MYDOMAIN.Hosted (10.2.4.212) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2308.8; Wed, 4 May 2022 04:16:58 +1000
Received: from ip-1xxxxxxxx-2.compute.internal (10.2.6.109) by
 EX2016-MDB-AN.MYDOMAIN.Hosted (10.2.2.129) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2308.8
 via Frontend Transport; Wed, 4 May 2022 04:17:40 +1000
Received: from [10.2.6.120] (helo=mail.MYDOMAIN.net)
	by ip-1xxxxxxxx-2.compute.internal with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
	(Exim 4.90_1)
	(envelope-from <lxxxxx@xxxxx.com>)
	id 1nlx5g-0003dL-JJ
	for lxxxxx@xxxxx.com; Wed, 04 May 2022 04:17:40 +1000
Received: from mail.ghfhgdg.com ([85.239.34.13]:33068)
	by mail.MYDOMAIN.net with esmtps  (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.95)
	(envelope-from <lxxxxx@xxxxx.com>)
	id 1nlx5X-00057p-2m
	for lxxxxx@xxxxx.com;
	Wed, 04 May 2022 04:17:32 +1000
Received: from ip63.ip-51-91-202.eu ([51.91.202.63]:53416 helo=galsan.com)
	by mail.ghfhgdg.com with esmtpsa  (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.95)
	(envelope-from <lxxxxx@xxxxx.com>)
	id 1nlx5V-0007v8-Vs
	for lxxxxx@xxxxx.com;
	Tue, 03 May 2022 21:17:28 +0300
X-SASI-Hits: BODYTEXTH_SIZE_3000_MORE 0.000000,
	BODYTEXTP_SIZE_3000_LESS 0.000000, BODYTEXTP_SIZE_400_LESS 0.000000,
	BODY_SIZE_10000_PLUS 0.000000, BODY_SIZE_25K_PLUS 0.000000,
	EXCESSIVE_SUBDOMAINS7 3.000000, FRAUD_ATTACH 0.050000,
	FROM_NAME_ALLCAPS 0.100000, FROM_RCPT_DOMAIN_NOT_IN_RCVD 0.000000,
	FROM_SAME_AS_TO_DOMAIN 0.000000, HTML_90_100 0.100000, HTML_95_100 0.100000,
	IMGSPAM_TABLE_1 0.000000, NO_FUR_HEADER 0.000000, NO_URI_HTTPS 0.000000,
	OUTBOUND 0.000000, OUTBOUND_SOPHOS 0.000000, SENDER_NO_AUTH 0.000000,
	SINGLE_HREF_URI_IN_BODY 0.000000, SINGLE_HREF_URI_WITH_EMAIL 0.000000,
	__ANY_URI 0.000000, __ATTACHMENT_PHRASE 0.000000, __BODY_NO_MAILTO 0.000000,
	__BULK_NEGATE 0.000000, __CSHC_NS_B_FN_FA 0.000000, __CT 0.000000,
	__CTYPE_HAS_BOUNDARY 0.000000, __CTYPE_MULTIPART 0.000000,
	__CTYPE_MULTIPART_ALT 0.000000, __DATA_URL_SCHEME 0.000000,
	__DATE_TZ_HK 0.000000, __DQ_NEG_DOMAIN 0.000000, __DQ_NEG_HEUR 0.000000,
	__DQ_NEG_IP 0.000000, __EXCESSIVE_SUBDOMAINS6 0.000000,
	__EXCESSIVE_SUBDOMAINS7 0.000000, __FAX_BODY 0.000000,
	__FILESHARE_PHRASE 0.000000, __FRAUD_ANTIABUSE 0.000000,
	__FROM_DOMAIN_IN_ANY_TO1 0.000000, __FROM_DOMAIN_IN_RCPT 0.000000,
	__FROM_NAME_NOT_IN_ADDR 0.000000, __FROM_NAME_NOT_IN_BODY 0.000000,
	__FUR_RDNS_SOPHOS 0.000000, __HAS_FROM 0.000000, __HAS_HTML 0.000000,
	__HAS_MSGID 0.000000, __HTML_AHREF_TAG 0.000000, __HTML_BAD_END 0.000000,
	__HTML_TAG_CENTER 0.000000, __HTML_TAG_IMG_X2 0.000000,
	__HTML_TAG_TABLE 0.000000, __IMGSPAM_TABLE_1 0.000000,
	__IMG_THEN_TEXT 0.000000, __MIME_HTML 0.000000, __MIME_TEXT_H 0.000000,
	__MIME_TEXT_H1 0.000000, __MIME_TEXT_H2 0.000000, __MIME_TEXT_P 0.000000,
	__MIME_TEXT_P1 0.000000, __MIME_TEXT_P2 0.000000, __MIME_VERSION 0.000000,
	__MULTIPLE_URI_TEXT 0.000000, __OUTBOUND_SOPHOS_FUR 0.000000,
	__OUTBOUND_SOPHOS_FUR_IP 0.000000, __OUTBOUND_SOPHOS_FUR_RDNS 0.000000,
	__PHISH_PHRASE10_D 0.000000, __RCPT_DOMAIN_IS_FROM_DOMAIN 0.000000,
	__SANE_MSGID 0.000000, __SUBJ_ALPHA_END 0.000000, __TAG_EXISTS_HTML 0.000000,
	__TO_DOMAIN_IN_FROM 0.000000, __TO_DOMAIN_IN_MSGID 0.000000,
	__TO_MALFORMED_2 0.000000, __TO_NO_NAME 0.000000,
	__URI_EMAIL_IN_QUERY 0.000000, __URI_IN_BODY 0.000000, __URI_MAILTO 0.000000,
	__URI_NOT_IMG 0.000000, __URI_NO_PATH 0.000000, __URI_NO_WWW 0.000000,
	__URI_NS 0.000000, __URI_WITHOUT_PATH 0.000000
X-SASI-Probability: 30%
X-SASI-RCODE: 200
X-SASI-Version: Antispam-Engine: 4.1.4, AntispamData: 2022.5.3.173622
From: HOA ORDERS <lxxxxx@xxxxx.com>
To: <lxxxxx@xxxxx.com>
Subject: Requested HOA Letter
Date: Wed, 4 May 2022 02:17:27 +0800
Message-ID: <20220504021727.BFD45D6D250BF3FA@xxxxx.com>
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="----=_NextPart_000_0012_1F95ED89.02DDA1DF"
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - mail.ghfhgdg.com
X-AntiAbuse: Original Domain - xxxxx.com
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - xxxxx.com
X-Get-Message-Sender-Via: mail.ghfhgdg.com: authenticated_id: dennis@ghfhgdg.com
X-Authenticated-Sender: mail.ghfhgdg.com: dennis@ghfhgdg.com
X-Source:
X-Source-Args:
X-Source-Dir:
Return-Path: lxxxxx@xxxxx.com
X-MS-Exchange-Organization-Network-Message-Id: 2be4961d-c269-4b3a-e3f4-08da2d3135da
X-MS-Exchange-Organization-AVStamp-Enterprise: 1.0
X-MS-Exchange-Organization-AuthSource: EX2016-MDB-AN.MYDOMAIN.Hosted
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Processed-By-BccFoldering: 15.01.2308.008

  • 0 in reply to Johnny Long

    Are you sure that you have -all instead of ~all in your DNS SPF record?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply Children
No Data
Unfiltered HTML