This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sending mails from external server via internal Exchange

Hello,

we're using Exchange Server internally togehter with Email Protection. We want to allow two mail accounts to send mails from an external server in the internet.

I allowed the two mailbox users to send mail (via Relaying tab under Authenticated Relay).
This works fine. But now I've noticed that these two users can send mails with any sender.
Theoretically they can use the mail address of the company boss as sender mail.

How is this possible? Can I restrict this in the UTM?

Regards
UTMaddict



This thread was automatically locked due to age.
  • Are the two users part of a shared mailbox, and sending it out as another user that is part of that share?  They shouldn't be able to send as another user if your security is set up correctly.  AD environment?

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • It is an AD environment.
    The two mailboxes are shared mailboxes and the users are the (by default) disabled Active Directory users/user objects of the mailboxes itself.

  • UTM will not check the mail FROM. Host based Relays will always accept any email. 

    Only Central Email will verify the Mail From. 

    __________________________________________________________________________________________________________________

  • That's a permission issue, not a UTM issue.  If they have rights to send in Exchange from a shared box, they can do it.  

    Even is the users are disabled, they are still part of the share (stupid, yes I know, but Microsoft...).  You should remove them from the shared mailbox, or at the very least change the permissions so that they can read only and not send.

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • But these are default users which are added by the Exchange automatically if I add a shared mailbox via Exchange ECP.
    By default they are disabled.
    Example: If my shared mailbox is called team1@mymail.com there is automatically a disabled user which is called team1.

    I enabled them and gave them a password to use the accounts for sending mails directly from it.

  • Toni, he's asking about outbound email, not inbound.  Does Central Email check the From for emails sent from the external server via internal Exchange?  How would it know?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • That is correct. If you do a host based relay (or authentication relay) it will accept every email from. 

    But Central Email will only accept Email from which are created and sit in your Email domain. You cannot send Emails from a non existing Email address in CEMA: 

    __________________________________________________________________________________________________________________

  • You should still be able to actually remove the mailbox user that it was created for from that mailbox to prevent that very thing.  

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • Thanks, Toni - are you saying that Central Email can enforce that the From is the same as the Sender?  Otherwise, he's worried that the remote users could spoof the boss's email address which is an existing one.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Essentially the Sender (Mail From and From) has to be the same in CEMA, yes. 

    But in UTM you can even send an Email with "FROM" what ever you like. UTM will accept this email regardless, even if you use test@sophos.com. But you will end up on all sorts of blacklists. 

    __________________________________________________________________________________________________________________