We are using UTM as our mail gateway, lately, a lot of our users have received spoofing emails that appear from themself.
We use emailspooftest dotcom site to test our mail servers, and it detects the problem was
Internal authentication is not enforced.Fix: On inbound email gateways, only allow specific IP addresses to send mail from internal domains or force an auth challenge for internal domains. This is typically a relay setting.
Could anyone suggest how to fix this problem in Sophos?
Hi,
I recommend setting SPF-records for your domain and enabling "Perfom SPF check" in SMTP->Antispam.
bye Josef
BERGMANN engineering & consulting GmbH, Wien/Austria
Hi Josef, thank you for your reply.
SPF is always enabled and records are update-to-date, this seems to be an open relay problem in UTM.
Ok, I suggest xxxxx.com stands for your domain.
Which hop is your UTM? mail.MYDOMAIN.net?
How looks your SPF-Setting in the DNS?
Yes, mail.MYDOMAIN.net is the UTM hop.
This is what the SPF settings look like:v=spf1 mx ip4:13.xx.xx.xx ip4:13.xx.xx.xx ip4:13.xx.xx.xx ip4:13.xx.xx.xx ip4:13.xx.xx.xx include:spf.messagelabs.com include:spf.protection.outlook.com include:spf.smtp2go.com ~all
Can anyone spot any issues?
The results show as
SendSMTPCommand: You hung up on us after we connected. Please whitelist us. (connection lost)
Ok so you use "Softfail" (~all) in your SPF-policy, these will not stop the spoofed mail on the UTM.
More details see here Sophos UTM: Enable Sender Policy Framework (SPF)
"... Your SPF record should contain the token "-all" at the end not "~all". This is a common reason why people are not rejecting spoofed mail as expected."
Hi Josef, I know we use "Softfail", but we have "Perform SPF check" turned on and I can see a lot of emails got rejected because of SPF check failed.
I still think we have is an open relay problem, not an SPF problem.
If you don't check your own mail logs after doing the OpenRelay test, you would never really know this.
PS: and i think SPF soft-fail will pass UTM-Spam filter. (you may check SPF-records from SPF-blocked mails)
Dirk
Systema Gesellschaft für angewandte Datentechnik mbH // Sophos Platinum PartnerSophos Solution Partner since 2003 If a post solves your question, click the 'Verify Answer' link at this post.
As said the UTM will not reject when the SPF-policy is set to Softfail, this is documented in the link I posted.
All the mails which you see rejecting for sure have a Hardfail SPF-policy. Your Domain have a Softfail-policy, so the mails got not rejected. The Feature "Perform SPF check" just enable the check general.
Good morning, Johnny. You got the answer from both Dirk and Josef.
Cheers - Bob
Apologies for the late reply.
Unfortunately, the solutions proposed didn't work, we updated SPF to "hard fail" but it still doesn't stop the phishing emails.
Here is the email header looks like -
Received: from EX2016-MDB-AN.xxx.hosted (10.2.4.129) by EX2016-MDB-AN.xxx.hosted (10.2.4.129) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2308.8 via Mailbox Transport; Wed, 20 Jul 2022 14:15:40 +1000 Received: from EX2016-MDB-AN.xxx.hosted (10.2.4.129) by EX2016-MDB-AN.xxx.hosted (10.2.4.129) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2308.8; Wed, 20 Jul 2022 14:15:40 +1000 Received: from ip-10-2-3-109.ap-xxxx.compute.internal (10.2.5.109) by EX2016-MDB-AN.xxx.hosted (10.2.4.129) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2308.8 via Frontend Transport; Wed, 20 Jul 2022 14:15:40 +1000 Received: from [10.2.4.120] (helo=mail.xxx.com) by ip-10-2-3-109.ap-southeast-2.compute.internal with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from <user@xxx.com>) id 1oE17c-0004qV-OG for user@xxx.com; Wed, 20 Jul 2022 14:15:40 +1000 Received: from [185.222.58.69] (port=62467 helo=xxx.com) by mail.xxx.com with esmtp (Exim 4.95) (envelope-from <user@xxx.com>) id 1oE17W-0001WW-0x for user@xxx.com; Wed, 20 Jul 2022 14:15:34 +1000 From: xxx.com Server <user@xxx.com> To: <user@xxx.com> Subject: Three (4) Incoming mails not delivered Date: Wed, 20 Jul 2022 06:15:30 +0200 Message-ID: <20220720061530.C5379167367D62FD@xxx.com> MIME-Version: 1.0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Return-Path: user@xxx.com X-MS-Exchange-Organization-Network-Message-Id: e0bd540b-123e-4816-8107-08da6a0681e5 X-MS-Exchange-Organization-AVStamp-Enterprise: 1.0 X-MS-Exchange-Organization-AuthSource: EX2016-MDB-AN.xxx.hosted X-MS-Exchange-Organization-AuthAs: Anonymous X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.1880204 X-MS-Exchange-Processed-By-BccFoldering: 15.01.2308.008
Received: from [185.222.58.69] (port=62467 helo=xxx.com) by mail.xxx.com with esmtp (Exim 4.95) (envelope-from <user@xxx.com>) id 1oE17W-0001WW-0x for user@xxx.com; Wed, 20 Jul 2022 14:15:34 +1000
The first "Received: from [185.222.58.69]" is not in the SPF record, yet it is the IP that the email originated from.
send me a PM with the real log.