This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM 210 9.7: SMPT-Relaying: Combine authenticated and hostbased relay

Hello,

we use our Sophos UTM as a SMTP Relay in front of our Exchange Servers.

We have several Web applications that are hosted elsewhere an that use our Sophos as SMTP Relay - all of them figure in the list of "Allowed Hosts/Networks" under Host-based Relaying. That is working as expected.

Now I am about to configure a new Webapplication that needs to relay by user authentication. I add the user in the list of "Allowed users/groups" under "User based relay". That is working as expected.

The only problem is that by opening the "authenticated relaying", there are lots of Denied connections that potentially slow down the system, or even block user accounts after several denied connections.

I am looking for a way to limit the "Authenticated relaying" to a limited Network group (the IPs of my Web Application).

Can anybody help me?

Thanks,

George



This thread was automatically locked due to age.
Parents
  • I think the problem description is fine. I have exactly the same problem, and I don't think the current Sophos UTM is capable of the requested functionality without more manual configuration.

    My case is a Wordpress website hosted on an external shared server. I do trust our site, but not others on the same shared host.

    The design flaw in UTM is that enabling "Allow authenticated relaying" implicitly opens SMTP for ANY [sic!] host. Yes, SMTP connections from unauthenticated hosts that are not in the Allowed Hosts/Networks list will eventually be dropped, but they still increase load, and they quickly lead to way too many "[WARN-070] Too many failed logins" notification mails once the initial gates are open to all the bots out there.

    Example mail:

    Too many failed logins from 95.214.25.129 for facility smtp.
    Further logins will be blocked for 600 seconds.

    We could probably create a DNAT rule that blackholes SMTP traffic from unwanted hosts, but that would be quite obscure and would require us to manually keep that whitelist in sync with the Allowed Hosts/Networks list.

    For now, I'll bite the bullet and hope others on that shared host don't realize we essentially have an open relay for them.

    Cheers

    Markus

Reply
  • I think the problem description is fine. I have exactly the same problem, and I don't think the current Sophos UTM is capable of the requested functionality without more manual configuration.

    My case is a Wordpress website hosted on an external shared server. I do trust our site, but not others on the same shared host.

    The design flaw in UTM is that enabling "Allow authenticated relaying" implicitly opens SMTP for ANY [sic!] host. Yes, SMTP connections from unauthenticated hosts that are not in the Allowed Hosts/Networks list will eventually be dropped, but they still increase load, and they quickly lead to way too many "[WARN-070] Too many failed logins" notification mails once the initial gates are open to all the bots out there.

    Example mail:

    Too many failed logins from 95.214.25.129 for facility smtp.
    Further logins will be blocked for 600 seconds.

    We could probably create a DNAT rule that blackholes SMTP traffic from unwanted hosts, but that would be quite obscure and would require us to manually keep that whitelist in sync with the Allowed Hosts/Networks list.

    For now, I'll bite the bullet and hope others on that shared host don't realize we essentially have an open relay for them.

    Cheers

    Markus

Children