Will authenticated relay as everybody in the world uses it (RFC4954) be Implemented on SFOSv18.

Hi Peter Geremia 

Please navigate to Email >> MTA Mode >> Relay Settings

Authenticated relay settings

Enable authenticated relay:

 Select to require authentication of users and groups to use XG Firewall as a mail relay.

Users and groups:

 Specify the users and groups who require authentication.

Hello Keyur,

could you please confirm that is it possible to use users and user groups authorized externally via Microsoft Active Directory for authenticated users? Because this feature was possible ONLY for users authorized through STAS.

Regards

alda

Hi.

Any info on this? Seems like RFC4954 authentication is not working on SFOSv18.

It is not and i am (personally speaking) not a fan of such setups.

That will get messy (at best). 

You are actively bypassing a mail server and only using a MTA for your Mail communication. That is kinda bad practice from my point of view.

I would rather recommend to send the mail to your mail server and let the mail server decide what to do with this mail. And having only one relay (host based) to the MTA is better than having X different upstreams sending without filter anything through your gateway. 

XG will use live users for authenticated Relay, which is as bad as RFC4954 from my point of view. 

It is like having a printer sending directly through your MTA to the world. The printer has one bad settings and ruining your Mail reputation. A Mail server would actually prevent from such stuff happening. 

Hello LuCar,

I'm afraid you somewhat misunderstood the purpose of authenticated relay.
So in one sentence - allow external users to send an e-mail via SMTP proxy after authorization, as if they were on the internal network like other (internal) users. I don't think that's too complicated to understand.
Yes, we can discuss how secure this feature is in terms of dictionary attacks and password strength, but that's a slightly different story, isn't it?
It is surprising that authorization against STAS is supported, but not an authorization to the local database or to MS Active Directory or LDAP.
I will probably never understand the thinking of Sophos developers.

Regards

alda

I think the point of this feature is to PROTECT your mail server from the Internet right?  XG can be the 1st line of defense for users that ARE NOT authorized to connect authenticated to send mail via the mail server.

I know I read from Sophos that RFC4954 support was to be included in v18.  But so far I dont think it is there.

We want to know when it will be included in the v18 release.  I am not upgrading until it is there.

Can someone from Sophos please answer this?  

Thank You,

Pete

You missed my Point. Most people use this feature as a external feature, as they authenticate everything via SMTP against the MTA. 

I completely left the security perspective not in my comment. 

But most customers asking for a external SMTP authentication. 

Therefore they start to send mails directly through the MTA. 

For example: 

Website in the internet should use the customer domain for outbound Email.

Printer (External / Internal) should use the outbound Email.

You will run into issues about: Archiving, False Configuration, Security Issues, Overview of the use of your Domain, Logging, etc. 

Hello LuCar,

I apologize that after your second answer I understood when the authenticated relay will be implemented - NEVER EVER.
Only excuses and justification why it is not appropriate to use this function (require its implementation).
As I wrote before, it is necessary to vote with our feet ...

Regards

alda

I cannot comment on the roadmap of this feature but it is not as easy to implement as you point it out, because there are multi factors to deal with.

First of all: the easy part would be to simply activate authenticated relay, as exim already support this. But how to deal with the authentication?

Exim could use an own authentication method, therefore simply forward the authentication to the mail server. That would break a lot of stuff. 

So you would like to use the in-product authentication. 

This lead to the next limitation, would you like the same implementation as UTM, aua is take over and deal with the authentication? 

This could lead to an open authentication method on SMTP and killing multiple users within your AD by locking them. 

So you would have to implement a method to split those authentication into external and internal and deal with them separately. 

You would have to think about an implementation method only for external or only for internal. 

Another factor would be the implementation of a cache? Useful? Could be. 

This needs to be all in the Webadmin, correct? 

As mentioned earlier, i am not a product manager, therefor not in position to comment on the roadmap. From my personal point of view, this feature does not have a high return in investment, as i personally think, it is not a good implementation anyways. 

Hello LuCar,

please read (or your product managers) again what Peter Geremia wrote:

We want to know when it will be included in the v18 release.  I am not upgrading until it is there.

And I don't think that's just the case. I think you (and your product managers) already know that you have a problem. Users expect that XG Firewall will have the same features as UTM v9. As Sophos has promised for 5 years ....

Regards

alda

[:@]

I will forward this feedback to the PM Team. 

Hi all,

This capability is under consideration and is tracked with tracking ID NC-32251

At this time there is no committed version for this capability,

Regards,

Stuart Hatto

Hi all,

This capability is under consideration and is tracked with tracking ID NC-32251

At this time there is no committed version for this capability,

Regards,

Stuart Hatto