Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 13 replies
  • Answers 1 answer
  • Subscribers 30 subscribers
  • Views 995 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Are Authenticated SMTP Notifications still broken in Sophos Firewall?

BrucekConvergent

I know this was an issue many years ago -- now I've run across a customer that we want to set this up for (they got bought out, and the parent company migrated all their email to O365, and the folks I deal with have no access to the admin controls in O365) -- and no matter what I do, I cannot send firewall notifications out via a configured O365 relay (they require authentication).  I do have other customers that I do manage, and in those cases we helped them setup relays (by static IP) that did not require authentication, and that works.

I suspect that (somehow, it's been a very long time) that Sophos has not fixed this issue yet (if you use authentication, you have to have TLS/StartTLS enabled with O365) with Sophos Firewall.  IIRC, it had to do with them using MD5 which Microsoft rejects. I will be starting a support case on this, but checking here first to see if any of you have had a different experience recently.



This thread was automatically locked due to age.
  • 0

    it is listed as a known issue:https://docs.sophos.com/releasenotes/index.html?productGroupID=nsg&productID=xg&versionID=19.0

    NC-9106 Framework part of base (deprecated) Mail notification isn't working with Microsoft Office365. Sophos Firewall supports STARTTLS and SSL/TLS to encrypt emails. However, for SMTP, it only supports PLAIN authentication, which Office 365 doesn't support.

    Configure an intermediate relay to workaround this behavior.

    Use Central as a Alert Management system. That should be a better solution. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    I'm not sure about this response -- the customer has non-microsoft devices (scanners etc.) that are using authenticated relay just fine.  I read elsewhere that it may be a problem with the encryption algorithms used (old MD5)...   not sure why if the bottom dollar MFP manufacturers can accomplish this, that Sophos can't?  I mean I understand it being a lower priority issue but it's been broken since day one.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • 0 in reply to BrucekConvergent

    It was not implemented. Basically PLAIN Authentication is fine for most SMTP but not Microsoft. You could ask Microsoft to support Plain Authentication as well. But at this point, SFOS does not support the way, microsoft authenticate and microsoft does not support the way, the firewall works. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    So which ones does Microsoft require?  I see two other possibilities, AUTH-LOGIN and AUTH-CRAM-MD5 ... 

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • 0 in reply to BrucekConvergent

    Sophos Firewall support SMTP Plain. https://en.wikipedia.org/wiki/SMTP_Authentication

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Yeah I get that... I was asking what Microsoft requires.  I guess we can drop this -- still amazing to me that this hasn't been fixed given it's something supported (apparently) on the most basic IOT type devices, printers, etc. nowadays.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • 0 in reply to BrucekConvergent

    I dont know, what Microsoft Supports. They moved to MFA a while ago. You find the documentation on Microsoft Websites. Essentially it is not broken. It is simply a missmatch between two vendors. 

    Most customers moved to Central Alerting and do not use Email Alerting anymore. (Why should you send a Email from the firewall, if you could do this from Central?). 

    If you have a device to send a notification, you could send this directly. This would basically mean to enter the credentials on each and every device, if you want to authenticated on a centralized manner, but you could do this by using the MTA itself. Then send the Email via Port25 to Microsoft365. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    One reason is that as a customer you can't configure your own alerts and have to sit and work with a partner to tune them and then always go through someone else to make changes.

  • 0 in reply to NetGuy

    Actually you can configure your own alerts in Central... unless you are talking about a scenario where you are using a MSP and want your own alerts (which we configure ourselves for customers as needed -- we also are an MSP) and they don't give you access to Central admin on your account, etc.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • 0 in reply to BrucekConvergent

    Yes, when using an MSP.  I have access to Central Admin but the alerts section is locked and we don't have access and were told we can't get access because that would require them to unlock that section for all customers and would create issues as far as how they manage alerts.

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?