SMTP in MTA mode

Hi ClerpremSpa,

I'm not sure I understand the problem, are you saying that you cannot restrict where connections can be made from for servers to deliver emails to the XG?

If that's the case, then you can restrict where they come from by going to Email > Relay Settings Tab and set the IP/Hosts in the Upstream host section which will restrict only email delivery to the XG to come from those objects you've entered.

Emile

Hello,

when in MTA mode, connections are directed to XG interfaces. The device access is regulated at 'Administration'->'Device Access' page.

From there you can enable device access for SMTP port. 

For device access local ACS rules exist, which may filter with more granularity device access.

When configuring a device access ACL, there is no SMTP service listed. So I cannot limit connections the same way I can do for accessing the https device, for instance.

In this way, any host can establish an SMTP session. Of course realy is subsequently denied, but a lot of unwanted traffic is allowed.

I think that in the local ACL configuraziont page the SMTP service is missing whereas it should be there.

Device access is not affected by normal firewall policies.

Hi Clerprem,

ACLs sit in front of Firewall Profiles so they will be unaffected.

Can I clarify you're trying to block incoming SMTP connections from unwanted sources?

Emile

ClerpremSPA,

under ACL there is not SMTP service, you are correct. What Emile said is correct, you should be able to filter incoming Smtp connection using Upstream Relay Option.

See the attachment!

You find it under Email > Relay Settings

Let us know if it works!

Thanks

Hello all,

the goal is to deny unwanted incoming connection to the MTA service as it happens for https, ping and so on. Without a local ACL filter, connections are permitted from anyone sitting at the WAN side (this is just an example but it's true for any XG port). It's not a matter of accepting or rejecting message relaying.

Further more it's definetly unclear the use of the 'Host based relay' and the 'Upstream Host' lists.

I was able to deliver a message by setting both 'MAIL From' and 'RCPT To' to a random address from the domain configured in the policy.

To clarify:

I configured a policy for my domain (ex. domain.com) and set routing informations and other parameters.

On the 'Relay settings' page, I entered the internal mail server IP into the HOst based relay list and 'Any' into the 'Blocked Host' list.

In the 'upstream hosts' list I entered the IP of my external service provider smtp server. In the blocked list I entered 'ANy'

Message flow works as epected. 

I connected to the XG from my PC using my Internet Key.

I connected to XH SMTP service and I was able to deliver a message from 'user@domain.com' to 'user@domain.com'. The message reached my internal server.

Of course the IP reputation was disabled, but is outside the scope of the test.

This is an unwanted result. My goal is to allow only specific hosts to use the XG MTA service for message relaying.

Hello all,

the goal is to deny unwanted incoming connection to the MTA service as it happens for https, ping and so on. Without a local ACL filter, connections are permitted from anyone sitting at the WAN side (this is just an example but it's true for any XG port). It's not a matter of accepting or rejecting message relaying.

Further more it's definetly unclear the use of the 'Host based relay' and the 'Upstream Host' lists.

I was able to deliver a message by setting both 'MAIL From' and 'RCPT To' to a random address from the domain configured in the policy.

To clarify:

I configured a policy for my domain (ex. domain.com) and set routing informations and other parameters.

On the 'Relay settings' page, I entered the internal mail server IP into the HOst based relay list and 'Any' into the 'Blocked Host' list.

In the 'upstream hosts' list I entered the IP of my external service provider smtp server. In the blocked list I entered 'ANy'

Message flow works as epected. 

I connected to the XG from my PC using my Internet Key.

I connected to XH SMTP service and I was able to deliver a message from 'user@domain.com' to 'user@domain.com'. The message reached my internal server.

Of course the IP reputation was disabled, but is outside the scope of the test.

This is an unwanted result. My goal is to allow only specific hosts to use the XG MTA service for message relaying.

ClerpremSpa,

have a look at this thread: https://community.sophos.com/products/xg-firewall/f/email-protection/80714/scanning-e-mail-traffic-with-hosted-exchange

Blocking incoming SMTP connection using ACL is not possible, as you wrote (I tested it). Using ACL should do the trick, but inside the Device Access, SMTP is missing (maybe they will add it later?)

In fact blocking incoming SMTP connection (for example from Cina) is not possible. The connection works but then Cina servers are not able to send the email.

Also they can also change the name used inside the Relay setting, like SMTP Relay.