This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM 210 9.7: SMPT-Relaying: Combine authenticated and hostbased relay

Hello,

we use our Sophos UTM as a SMTP Relay in front of our Exchange Servers.

We have several Web applications that are hosted elsewhere an that use our Sophos as SMTP Relay - all of them figure in the list of "Allowed Hosts/Networks" under Host-based Relaying. That is working as expected.

Now I am about to configure a new Webapplication that needs to relay by user authentication. I add the user in the list of "Allowed users/groups" under "User based relay". That is working as expected.

The only problem is that by opening the "authenticated relaying", there are lots of Denied connections that potentially slow down the system, or even block user accounts after several denied connections.

I am looking for a way to limit the "Authenticated relaying" to a limited Network group (the IPs of my Web Application).

Can anybody help me?

Thanks,

George



This thread was automatically locked due to age.
  • Salut, George and welcome to the UTM Community!

    It's not clear to me why you'd need to configure authenticated relaying in the UTM if it's the application doing the authentication, so I don't "see" the problem.  If Authenticated Relay in the UTM is needed, please insert a few relevant text lines from the SMTP log so that we can see the error reported there.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    thanks for your welcome and your reply.

    I try to explain it better:

    Most of my web applications use the SMTP Relay without identification by Account/password - The UTM allows relaying simply based on their IP Adress. So far so good.

    The new Webapplication I try to configure asks me for SMTP settings: Host/Port/Encryption/Account/Password . It does not allow to leave Account/Password empty.

    When I check 'Authenticate Relaying' and add an Account to the list it works, but at the same time I see numerous attempts to login the SMTP Server.

    So my Idea is to add a rule to allow the Authentification only for the Network of my my new Webapplication.

    Does it make sense?

    Thanks in advance for your help.

    George

    .

  • Merci pour les précisions, George, mais...

    Without seeing lines copied from the logs, it's difficult to analyze.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob.

    Please find some examples below with authenticated relay enabled for a single user "allowed@123.org"

    Mails from x.y.z.a with correct authentification are treated as expected:

    2023:03:17-15:19:53 sgp-1 exim-in[23644]: 2023-03-17 15:19:53 [x.y.z.a] F=<allowed@123.org> R=<user@234.fr> Accepted: from authenticated user 'allowed'
    2023:03:17-15:19:53 sgp-1 exim-in[23644]: 2023-03-17 15:19:53 1pdAvx-00069M-0r <= allowed@123.org H=123e.amazonaws.com ([127.0.0.1]) [x.y.z.a]:9024 P=esmtpsa X=TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=no A=server_login:allowed S=3004 id=07806567587dfe4b5deabsdfsdf10524d03abd@swift.generated
    2023:03:17-15:19:53 sgp-1 exim-in[23644]: 2023-03-17 15:19:53 SMTP connection from 123e.amazonaws.com ([127.0.0.1]) [x.y.z.a]:9024 closed by QUIT

    But at the same time I have thousands of authentification attemps à day, like:

    2023:03:17-15:19:53 sgp-1 exim-in[23613]: 2023-03-17 15:19:53 server_login authenticator failed for (User) [81.94.195.25]:47394: 535 Incorrect authentication data (set_id=msdnaa@123.org)
    2023:03:17-15:19:53 sgp-1 exim-in[23624]: 2023-03-17 15:19:53 server_login authenticator failed for (User) [81.94.195.25]:64524: 535 Incorrect authentication data (set_id=msdnaa@123.org)
    2023:03:17-15:19:54 sgp-1 exim-in[23614]: 2023-03-17 15:19:54 server_login authenticator failed for (User) [230.14.93.25]:7880: 535 Incorrect authentication data (set_id=msdnaa@123.org)
    2023:03:17-15:19:54 sgp-1 exim-in[23596]: 2023-03-17 15:19:54 server_login authenticator failed for (localhost) [23.48.20.14]:40002: 535 Incorrect authentication data (set_id=offers)

    What I would like to achive:

    Limit the possibility for authentication to x.y.z.a in order to get rid to the authentication attemps from other IPs.

    When I disable authentication relay completely, also x.y.z.a will not be able to transmit mail any more.

    2023:04:21-10:25:46 sgp-1 exim-in[28289]: 2023-04-21 10:25:46 SMTP connection from [x.y.z.a]:56546 (TCP/IP connection count = 1)
    2023:04:21-10:25:46 sgp-1 exim-in[2198]: 2023-04-21 10:25:46 H=x.y.z.a.central-1.compute.amazonaws.com ([127.0.0.1]) [x.y.z.a]:56546 X=TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=no F=<notallowed@123.org> rejected RCPT <123@extern.df>: Authentication required for connections on TCP port 587
    2023:04:21-10:25:46 sgp-1 exim-in[2198]: 2023-04-21 10:25:46 SMTP connection from x.y.z.a.central-1.compute.amazonaws.com ([127.0.0.1]) [x.y.z.a]:56546 closed by DROP in ACL

    Thanks for your help.

    George

  • Hello forum,

    can anybody help us understanding that issue?

    Have a good day.

    George

  • If you haven't resolved this, George, please insert a picture of the 'Hostbased Relay' section on the 'Relaying' tab of SMTP.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hello everyone,

    after some more tests here is the solution (a bit contreintuitive for me though):

    I simply add the IP Adresses of my web application to the list of "Allowed Hosts/Networks", which allows these hosts to send over my UTM SMTP relay.

    Whether my webapplication tries to authentify with username/password does not matter then. I can leave "Authenticate Relaying" unchecked.

    Thanks Bob.

    Georg

  • I think the problem description is fine. I have exactly the same problem, and I don't think the current Sophos UTM is capable of the requested functionality without more manual configuration.

    My case is a Wordpress website hosted on an external shared server. I do trust our site, but not others on the same shared host.

    The design flaw in UTM is that enabling "Allow authenticated relaying" implicitly opens SMTP for ANY [sic!] host. Yes, SMTP connections from unauthenticated hosts that are not in the Allowed Hosts/Networks list will eventually be dropped, but they still increase load, and they quickly lead to way too many "[WARN-070] Too many failed logins" notification mails once the initial gates are open to all the bots out there.

    Example mail:

    Too many failed logins from 95.214.25.129 for facility smtp.
    Further logins will be blocked for 600 seconds.

    We could probably create a DNAT rule that blackholes SMTP traffic from unwanted hosts, but that would be quite obscure and would require us to manually keep that whitelist in sync with the Allowed Hosts/Networks list.

    For now, I'll bite the bullet and hope others on that shared host don't realize we essentially have an open relay for them.

    Cheers

    Markus

  • This is a known design flaw in the way UTM does SMTP.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.