Hello,
I need to configure the email address and TCP port that UTM 9 uses to send the Quarantine reports to my users. Does anybody know how to do that? Also, I would like to know what are the default for those two settings.
Just in case, I'm using Exchange 2010 as my email server.
Thanks in advance!
Hello,
Quarantine reports are e-mails. So i did not understand your question, wich port the utm uses to send the reports. The port and the hostname used in the release link is configured in the advanced section under E-Mail Protection / Quarantine Report.
For the email addresses there are two cases:
1. User without a user object in Definitions & Users / Users & Groups
- every email address for wich spam is filtered get a report to that email
2. Users configured in Definitions & Users / Users & Groups
- every user get a report to the primary email consolidated over all his email addresses (primary and additional)
- users can control their own sender blacklist / whitlist
Hope it helps
CS
Sophos Certified Architect (UTM + XG)
Sorry that I was not clear.
What I meant is the following:
-I'd like to change the FROM address that quarantine reports are sent from by the UTM to our users.
-As you said the quarantine reports are emails so I'm guessing the UTM sends the quarantine reports to port 25 on my email server. I would like to configure the UTM to send the quarantine reports to port 587 instead.
The reasons I need to make these changes is because yesterday I made some changes on my Exchange server's receive connectors and this morning nobody received their quarantine report. We were receiving a lot external spoofed emails with our own domain, and the UTM was not blocking them even though I have our domain on the Sender Blacklist on UTM. I found out on another post that UTM only checks the MAIL FROM field in the P1 header of an email, but it doesn't check the FROM field on the P2 header. https://community.sophos.com/products/unified-threat-management/f/mail-protection-smtp-pop3-antispam-and-antivirus/49949/block-emails-spoofed-p2-headers. This allows for spoofed emails to still pass through the UTM's email filter onto our Exchange server.
So in order to blocked those spoofed emails, I removed the ms-exch-smtp-accept-authoritative-domain-sender permissions on the receive connector for the UTM on our Exchange server to reject external emails that have our own domain. My guess this is what prevented us to receive the quarantine reports this morning, as the FROM address on the quarantine reports was an address in our domain. This is why I need to change the FROM address and the port UTM uses to send the quarantine reports.
Sorry that I was not clear.
What I meant is the following:
-I'd like to change the FROM address that quarantine reports are sent from by the UTM to our users.
-As you said the quarantine reports are emails so I'm guessing the UTM sends the quarantine reports to port 25 on my email server. I would like to configure the UTM to send the quarantine reports to port 587 instead.
The reasons I need to make these changes is because yesterday I made some changes on my Exchange server's receive connectors and this morning nobody received their quarantine report. We were receiving a lot external spoofed emails with our own domain, and the UTM was not blocking them even though I have our domain on the Sender Blacklist on UTM. I found out on another post that UTM only checks the MAIL FROM field in the P1 header of an email, but it doesn't check the FROM field on the P2 header. https://community.sophos.com/products/unified-threat-management/f/mail-protection-smtp-pop3-antispam-and-antivirus/49949/block-emails-spoofed-p2-headers. This allows for spoofed emails to still pass through the UTM's email filter onto our Exchange server.
So in order to blocked those spoofed emails, I removed the ms-exch-smtp-accept-authoritative-domain-sender permissions on the receive connector for the UTM on our Exchange server to reject external emails that have our own domain. My guess this is what prevented us to receive the quarantine reports this morning, as the FROM address on the quarantine reports was an address in our domain. This is why I need to change the FROM address and the port UTM uses to send the quarantine reports.
I did try configuring the sender address and port on the Notifications section, but after testing I found out it only works for security notifications like INFO, WARN, and CRIT. The Notifications settings don't apply to Quarantine reports.
Almost two years ago, I added an idea that you might want to vote for: In Anti-Spam, Expression-check everything after DATA or include From.
I don't know where you changed the sender. I've never changed 'Sender' on the 'Global' tab of 'Notifications', so I've never seen a Quarantine Report sent by anything other than do-not-reply@fw-notify.net. The only way I know to send on a different port is with SNAT, but that would apply to all messages from the UTM to Exchange, not just QRs.
Cheers - Bob
I voted for that idea a few weeks ago, as I found myself getting a several emails with spoofed P2 headers.
Thanks! I did change the sender to that address and that allowed my users to receive the quarantine report. Not an ideal solution as that address is a fake address but that'll do for now. Hopefully they add your idea to a future firmware update, otherwise without it the UTM's email protection is not a complete solution.
