About Trusted Relays

About Trusted Relays

Trusted relays are internal or external mail relay hosts that you know to be safe; that is, you trust that these hosts will not be the source of unwanted emails, although it is possible that unwanted emails could still be relayed through them. Trusted relays can exist both inside ("internal trusted relays") your network, and outside ("external trusted relays") of it.

Examples of internal trusted relays include:
  • Site-specific email/webmail servers.
  • Mailing-list management systems.
  • Item-tracking servers.
Examples of external trusted relays include:
  • Mail hosts managed by your organization.
  • Mail relays owned by business partners that accept and relay a large volume of email on your behalf.
  • Mail relays managed by your ISP.

It is important to note that, when trusted relays are configured, the appliance is able to identify the first untrusted relay (FUR). Otherwise, the FUR is set to the connecting relay. Additionally, when trusted relays are configured, the FUR can be identified by the use of the "Received" headers, when an email has been received from one or more trusted relays.

Note
Spammers can easily forge received headers; but the received header written by a trusted relay can, as the name implies, always be trusted. Even if a message was delivered through a number of trusted relays in sequence, you can still always extract the first untrusted relay from the received headers, then use that IP as the starting point for reputation checks, as well as for logging and reporting.

Advantages of Using Trusted Relays

There are a number of benefits provided by configuring the Sophos Email Appliance to use trusted relays.

  • Facilitate reputation filtering in the policy: Reputation filtering is one of the most effective forms of preventing unwanted email. If inbound email goes through one or more upstream relays, then reputation filtering cannot be done by an MTA based on the connecting relay. However, it is possible to do reputation filtering in the policy if these hosts are trusted relays, and they have been correctly configured in the trusted relays list.
  • Improved spam checking efficiency: The appliance will not waste resources performing DNSBL and RBL checks on the IP address of the trusted relay, and will instead check the FUR and any subsequent relays in the received chain.
  • Improved spam catch rate: A message is more likely to be spam if the first untrusted relay has a bad reputation, while it is unlikely that a trusted relay has a bad reputation. However, if a trusted relay is not configured as such, and a spam message is relayed to it from an untrusted relay, the appliance will use the trusted relay's reputation, rather than that of the untrusted relay that sent the spam. This reduces the likelihood that this message will be categorized as spam. If, instead, the trusted relay is configured correctly, the appliance will use the first untrusted relay's reputation instead. This will improve the spam catch rate.
  • More accurate reports: The Top Spam Relays and Top Virus Relays reports always report the connecting relay. This is not very useful if the connecting relay is normally a single relay, through which a large portion of your email is routed. However, if that relay is configured as a trusted relay, the first untrusted relays in the received chain will then appear in reports. This can make it easier to identify the actual source of any unwanted emails.
  • Improved management of Blocked/Allowed hosts: If a large number of incoming messages are routed through a single upstream relay, but this relay is not configured as a trusted relay, then it will appear as though most unwanted emails are originating from this relay. In this case, most messages sent by hosts in the Allow/Block Lists will not be correctly identified as coming from these hosts.

    However, if this relay is configured as a trusted relay, then the appliance will instead apply the Allow/Block Lists to the first untrusted relay, rather than to the now-trusted relay.

  • Trusted relays can be used in policy rules: Similar to the allowed/blocked hosts lists, the "source ip" message attribute will not always trigger, unless trusted relays have been correctly configured.
  • Identification of internal spambots in your organization: If the internal email servers that are authorized to send outgoing email are configured as trusted relays, any outgoing messages that are identified as spam can immediately alert you to the possibility of infected hosts within your organization. It can also allow you to identify any infected hosts. In a scenario such as this, Sophos recommends configuring your policy so that notifications will be sent to adminstrators or helpdesk operators if outgoing spam is detected.

Due to the advantages conferred, it is recommended that you configure the appliance to use trusted relays whenever possible.