Sophos UTM Retirement / EOL announced

Jeff I got a new post notification but can't find your mesage.

```

That right there tells me major frustrations are in our future. We have been so spoiled by Sophos UTM's ease of use and extraordinary feature set. I would have thought you could connect directly to the ONT with any firewall as I've always done with a Sophos box.

I'm still researching. I keep going back and forth on pfSense vs OpnSense; still not sure which one to go with. Trying to avoid getting elbows deep in one only to find that I need to switch to the other and start all over. I was leaning towards Opnsense because of the Zenarmor integration out of the box and I saw a video tutorial on  NAXSI WAF integration . Seems people are having problems with Zenarmor on pfSense.

Are you using the CE or Plus version? I'm concerned that they may pull the rug out from under Plus users at some point and start charging.

```

The ONT/gateway/802.1x BS is strictly caused by att and no other. There's lots of threads on it on dslr, but the gist I gather is it has to do with legacy auth with dsl clients connecting. And of course keeping support KISS. I'm happy to say I was able to root my gateway, pull its certs and stick it back in the box it came from back in 2019.  With UTM, a third party supplied the needed wpa_supplicant binary which I still use to this day to handle auth on reboots. In pfsense (and opnsense https://www.dslreports.com/forum/r33687955-OPNSENSE-vlan0-supporting-wpa-supplicant-binary) no additional tools are needed.

Now if I wanted to use XG, I have to have some convoluted work around to just get an IP, either by putting an openwrt vm in front of it, or some other way of handling eapol auth.  Either way, its a none issue as xg won't be running here in its current form.

I've been playing with the plus version, but the latest CE 2.70 is (almost) in parity with the plus, or was a few weeks ago. I doubt netgate will charge home users, but who knows.

Truth be told, I probably won't be making the switch until this fall/winter given my network setup is somewhat complex and I really don't want to deal with it right now.

I finally peeked a bit at the utm email options. Looks to be quite inclusive.

I'm not sure how much parity there is with PMG (proxmox mail gateway). I've installed it ahead of the mailcow instsance to see what it can do. Options appear plentiful.

Mailcow is already configured including spam options. It's been exposed to port 25 for a few days now. I do however see the benefit of having a proxy ahead of it. Given it houses the mailboxes, it's better to have the proxy compromised than the actual mail server.

Thoughts?

Self hosted mail is such a deep rabbit hole!!

I consider pushing everything to the cloud a deep rabbit hole!! I've always self-hosted pretty much everything. I still have a gmail account but that's about all that I have as far as third-party cloud services goes.

The Sophos UTM's SMTP Proxy is fantastic. I've been using it for nearly 10 years. Very few spam emails make it through along with very few false-positives and I have been self-hosting email for a few different domains, each with multiple accounts.

I don't currently use Proxmox. I didn't know they offered an email proxy. Thanks JosefBergmann. Looks promising but I'm not a huge fan of ClamAV. Maybe it's improved but it used to be a resource hog way back when I used it. It just rubs me the wrong way having to move services out of the gateway only to eat up more resources, elsewhere. I guess it's time I come to terms with that fact.

I'm still not sure what I'm going to use as a Sophos UTM replacement. I'm hoping they add a few things to XG by 2026 so that it is more on par with the UTM. Especially Let's Encrypt support. I'm always adding/removing subdomains for web apps and even cheap SSL certs can add up quick. I'm not holding my breath though considering how long it's taken them to get as far as they have with XG.