SMTP authenticated relay on Sophos XG
We have customer here requesting for XG to have a function as SMTP authenticated relay.
For your assistance please. Thank You
For sending e-mail with my phone (outside my local network) i have to use a SMTP server from a provider where i authenticate myself and after that i can use their SMTP server. Other option is the SMTP sever from my mobile phone provider, but going abroad this does not work.
I would like this option in XG so i can send e-mail with my phone without needing a thirth party SMTP server.
So XG should relay my e-mail from the outside network as long as i authenticate first. That option is missing and very much wanted.
I feel sorry about that, but I can’t accept your answer as a “best practice” solution, because that way we just bypass the firewall scanning engine. It is a simple port forward solution or not?
Is there any secure solution to scan TCP587 (submission) port traffic like TCP25?
In my test environment I can send any spam or virus to other local mailbox if I follow your suggestion. Well, we don't want that. It is also conceivable that I do not understand your answer properly, but I don’t think so.
I look forward to your reply! Thank you very much.
Stuart, I am pretty certain that this feature request is about supporting SMTP AUTH, which is described in RFC 4954. Actually, RFC 6409, referenced by you, says the following in section 4.3:
"The MSA MUST, by default, issue an error response to the MAIL command if the session has not been authenticated using [SMTP-AUTH], unless it has already independently established authentication or authorization (such as being within a protected subnetwork)."
While this does not make SMTP AUTH mandatory, it strongly implies that SMTP AUTH is the only valid method of authenticating nomadic users (i.e. those not coming from a protected network like an internal network or a remote access VPN). Even the Wikipedia page you cited gives SMTP AUTH as an example.
This way nomadic users have no way to send email via the firewall. Another feature that is supported by UTM and basically everybody else except XG. I am sure you are not suggesting that port 587 should be forwarded (by DNAT) to the internal network, I am just misunderstanding your comment.
Stuart Hatto, XG Product Manager commented
Mobile devices should use TCP 587 (submission) to send eMails, not SMTP, submission implies authentication. https://en.wikipedia.org/wiki/SMTP_Authentication#Role_in_the_mail_transport_system
RFC6409 defines Message Submission and is the current Internet Standard – it is updated by RFC 8314 which mandates encryption for Submission. (currently a proposed standard)
We added TCP587 to the SMTP(S) service object in v17.5 and so this can be used to direct traffic to the internal MTA via a firewall rule and DNAT.
This would therefore be rejected as a feature request.
XG does support authenticated relay for MTA to MTA of course.
XG Product Manager