smtp: change authenticated smtp proxy authentication flow
UTM first verifies username/password, and then checks if the user is allowed to use the authenticated smtp proxy.
This allows a botnet to do a DoS attack, by simply giving wrong passwords for any AD account -> sophos checks all passwords, causing the account to become lockedout on the AD (toomanyfailedpasswords)
We would like UTM to first check if the user is allowed to use the auth smtp proxy AT ALL, then further authentication would in most cases not be required. (reducing the number of failed logons on our AD servers considerably)
This is how postfix sasl does it, which we have now started using instead of UTM for authenticated smtp relay.
Sure, UTM can block an IP after X failed attempts, but in case of a botnet, IPs are almost never used twice.