Email profile like Web Filtering - Feature request

Hi Luk,

A curious but understandable request.

I think what should be looked at is more at how POP3, IMAP and SMTP traffic works. With POP3 and IMAP this could work and invariably could be quite valuable, however that is not how SMTP will be used.

With SMTP the traffic is only between the internal mailserver and a target server on the internet and this initial connection does not actually contain any information about what "user" it pertains to, it's only when the SMTP send data starts to occur is when the XG could even begin to identify whether there is a user there. Now in a lot of organisations they have estate wide anti-spam and anti-malware rulesets and exceptions are made for the minority so applying a per user or per group profile might add more work to the construction of an efficient policy.

I'm a firm believer that something as disruptive and mail filtering should be kept separate because it's a "dangerous" system that can be quite sensitive and if any of it is wrong or emails are mis filtered or blocked due to the granular policy approach then it can be damaging to a business operation.

But as I said, POP3 and IMAP is initiated by a client and not a server so this could be useful but I do not think this would be useful for an MTA mode XG appliance, maybe in Legacy transparent mode it could be however :)

Emile

Emile,

thank you for your consideration. I think that everything should be centralized. SMTP scanning at the moment is confusing for customers. What I think is that when a template used to Scan SMTP traffic, some area are not necessary like heartbeat, users, captive portal and all other area. Using profile can simplify Admins to manage multple domains inside the company that are managed by multiple Exchange Server.

IMAP and POP3 can use profiles with no limitation like SMTP.

Hi Luk,

I agree for IMAP and POP3 as that is users making a callout to retrieve email and send email from a mail client on their device. SMTP does not work in the same way, to retrieve mail from a mailserver as user you will either use HTTPS (Exchange and similar) or IMAP/POP3. For a mailservers mail coming in and mail going out of it, this should definitely not be integrated into a policy, especially in MTA mode. I know of only 1 user with a small estate of 10 on the UTM who use their mail scanning in Transparent mode because of managed service setup and it causes them no end of grief. 

Putting mail as part of the policies would be a very difficult task for mailservers, not so for users POP3/IMAP sessions.

Emile

Emile what I like to have inside profile is all the policies (see the screenshot). I am thinking XG as managing multiple domains as I said before. At the moment XG is not even able to manage multiple Helo for example. Profiles will help us to create profiles for each domains and create the proper rule per each domain inside the Firewall area.

Thinking about you have different email and you want to apply different country blocking to each domain. Using a single policy rule will not help. I have customers that have more than one domains that have to be managed separately (XG cannot fit). They are using another solution.

Of course mine is a feature request that I would like to see. SMTP on XG still cannot manage multiple domains seriously and Profile is one way to go for it if Sophos decides that XG has to manage multiple domains, helo, etc...

Hi Luk,

v16s' Email Protection in both MTA and Legacy transparent have the ability to apply different policies depending on the incoming domain but is more powerful in MTA mode (Enabled by Email > General Settings > Switch button). When you create a policy you can provide the Domain and the routing like below:

This system is the fully mature migration of the system from the UTM and is extremely powerful, it's still not quite as powerful as some cloud email protection providers but I have a client wherein, because of the email system and MTD, if the UTM was a women he would do unspeakable things to it!

You're right however, both the XG and the UTM can only respond with one HELO which is the FQDN you'd define as the SMTP hostname under general settings so each domain info the XG is responsible for would have to have inherited trust from the domains it is managing for that one FQDN which is not necessarily a problem.

Additionally you are correct that blocking of relaying of emails from specific countries per domain cannot be done per policy and can only be done globally.

Emile

Emile,

I know that XG v16 uses the same concept as UTM but still some features are not available in profile mode. The other point, for example is Country Blocking, Different IPS policy and so on.

If I have a Next Generation Firewall, these features must be included and all packets should be analyzed in the same way (web, email, other traffic) using the same filtering.

Thanks for you contribution and hope you can vote the feature request too. [;)]

Emile,

I know that XG v16 uses the same concept as UTM but still some features are not available in profile mode. The other point, for example is Country Blocking, Different IPS policy and so on.

If I have a Next Generation Firewall, these features must be included and all packets should be analyzed in the same way (web, email, other traffic) using the same filtering.

Thanks for you contribution and hope you can vote the feature request too. [;)]