Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 19 replies
  • Answers 2 answers
  • Subscribers 27 subscribers
  • Views 2928 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Does Sophos XG Support AUTH SMTP relay in MTA mode?

Rahn

We were on a UTM and authenticated relay worked fine. 

Migrated to an XG and email flows, but neither myself, nor Sophos support seems to be able to get SMTP Authenticated relay to work. 

Environment:

Sophos XG in MTA mode. - Works fine in all respects, other than Authenticated SMTP relay. It does successfully relay from whitelisted internal IPs (MFP, etc)

Exchange 2016 on-prem server - Patched to CU22, including KB5007409  - All aspects working fine. 

Active Directory users imported successfully or local users. (I have both and either would be fine)

Spent time with a tier 1 support person (3.5 hours) working through it and was told that "SMTP relaying via AUTH was broken in fw 17, but supposed to be fixed in 18, but it's still broken."

Fantastic. Before I throw a wobbly, is this accurate?

Did Sophos break AUTH relay and leave it broken across multiple versions?

Does anyone have Authenticated (username and password) SMTP relaying working with an on-prem Exchange Server and the XG in MTA mode?

Thanks!



This thread was automatically locked due to age.
Parents
  • 0

    SFOS does not support SMTP Auth. It was never implemented and i am still arguing this to be a "problem" in the implementation to this day. 

    From my point of view, there should be a a central instance (email server) storing all emails and be send from there. Using a SMTP Auth vs a gateway product (SMTP MTA) could potentially open plenty of issues. 

  • 0 in reply to LuCar Toni

    Reality seems to match what you're saying generally. It does seem to be implemented, at least at the GUI level, since there's a pretty little check box and a place to add allowed users for authentication, but no one can seem to figure out how to actually implement it. 

  • 0 in reply to Rahn

    What is the use case of SMTP auth? What do you plan to integrate and how do you mitigate SMTP threats? 

  • 0 in reply to LuCar Toni

    In this case, it's Syncro. We use it as an RMM. It was emailing fine through the UTM, but after switching to XG, it fails. 

    With the Sophos in MTA mode, my understanding is that it handles the transactions, then relays back to my Exch. 

    That pretty much puts it in front of the Exch server. 

    We also lock down relaying in XG and Exchange. 

    This is the Syncro interface I'm using, which is very limited. 

    The current error is "AUTH command used when not advertised" when attempting Auth SMTP relay. 

    I don't want to switch to transparent mode, since that makes the firewall useless in terms of Email protection. 

  • 0 in reply to Rahn

    Where is this solution based? Is it a cloud application or on-premise? Or to rephrase it: Do you have a IP/FQDN, which this vendor is using for sending a Email? 

    If so - You could relay it directly to the Exchange. The Exchange will accept the email and then forward it to the needed places. 

  • 0 in reply to LuCar Toni

    They are a web-based SAAS provider. IP Relay is the sole solution I can see as well.

    Still waiting on Syncro to clarify their sending IP/IP range. 

    Its just dumb that this isn't supported. FFS, UTM managed it fine, but Sophos "upgraded" and broke something quite useful. 

    Combine that with the horrific on-hold 18-sec loop and Im starting to hate this company more every day.

  • 0 in reply to Rahn

    On the other side. take a look at Central, Reporting, XDR and the capabilities for IT Security, it will increase your actual goal: Having a secure environment.

    BTW: IP Relay means essentially, your SAAS Provider talks to the Exchange and on the Exchange, you can configure a SMTP Gateway for this service.

    BTW2: Most customers move to O365, and as O365 simply supports this as a Mail gateway, this seems to be the better approach. So if you actually move to Exchange online in the future, you can disable this entire Email feature on SFOS/UTM anyway. 

  • 0 in reply to LuCar Toni

    We use CYNET for endpoint sec. I used Sophos AV in the past and wasn't impressed, at all. CYNET is a stellar product, albeit more expensive. 

    I'm well aware of what IP relay is for SMTP. 

    We're not likely migrating to O365 anytime soon. On-Prem exch has worked fine until this Sophos XG garbage. 

  • 0 in reply to Rahn

    Did you upgrade your Exchange already? Yesterday another Critical CVE for Exchange: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42321 

  • 0 in reply to LuCar Toni

    Yeah. I stay up on patches. We were CU 22 when it was released and this sec patch was installed the day after release. 

    I'll just end this thread here. 

    Sophos UTM supported this function without issue. Sophos decided to pretend to support it in XG, but doesn't really support it and so far, the best solution from Sophos is to convert to O365, bypassing the Firewall MTA. lol

    I appreciate your time nonetheless. 

  • 0 in reply to Rahn

    O365 does not bypass the Firewall MTA. It simply does not need it. In O365, you are working with the MTA of Microsoft. 

    BTW: Did you investigate about breaches? This CVE is already known to be used in the wild. There is a script from Microsoft to check for breaches. 

  • 0 in reply to LuCar Toni

    O365 does not bypass the Firewall MTA, because it doesn't use it. Well, yeah. 

    You know what the word "bypass" means, right?

    I'm well aware of Exch vulns and we're patched. 

Reply Children