We have recently switched over to using the Sophos UTM 9 E-mail Protection and currently are unable to receive e-mails from a few domains including samsung and mail.ru. Our settings are such: MX records pointing to our mail server. Mail server points to internal address for the sophos box under send connector. We are able to send e-mails to any domain (including samsung and mail.ru) but we cannot receive from them. The only time I could receive from them is when I had a DNAT rule to point to the exchange server (but this only worked because it then bypassed the e-mail protection in sophos altogether). Have I configured something wrong?

I have configured my UTM in SMTP Standard Mode, and it has worked very well. Others have said that Transparent SMTP should be avoided, without getting into the details of why. The message sender should be receiving a Non-Delivery Report (NDR) from his mail server, which would be helpful for understanding the problem. If the traffic is not getting to the mail server when UTM is in the path, then it is obvious that UTM is blocking the traffic, and my experience is that it is doing so because you have told it to do so. UTM logs nearly everything unless you have told it not to do so. Each firewall rule can selectively enable or disable logging, so you may need to increase logging detail there, although firewall rules do not normally apply to SMTP traffic. Are you using ANY Country Blocking? Since you are having problems with Russia and Korea, country blocking seems like the likely cause. Configuring Country Blocking Exceptions can be tricky. See the RULZ post for information on packet processing sequence, which should help you know which log file to search. See my post in the Management section for a way to parse firewall logs into a SQL database. I have found that SMTP logs are hard to parse into a form that I consider useful, but I have made some recent progress. Send a Private Message if this is of interest. Is UTM your firewall, or do you have a firewall in front of UTM? If something is in front of UTM, the traffic may be blocked there. Similarly, do you have any clould-based email filtering in front of UTM?

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Cannot receive e-mails from certain domains

John Lynch over 5 years ago

We have recently switched over to using the Sophos UTM 9 E-mail Protection and currently are unable to receive e-mails from a few domains including samsung and mail.ru. Our settings are such:

MX records pointing to our mail server.
Mail server points to internal address for the sophos box under send connector.

We are able to send e-mails to any domain (including samsung and mail.ru) but we cannot receive from them. The only time I could receive from them is when I had a DNAT rule to point to the exchange server (but this only worked because it then bypassed the e-mail protection in sophos altogether).

Have I configured something wrong?

This thread was automatically locked due to age.

Parents

0 apijnappels over 5 years ago

Did you already try to look in the logfiles? Maybe some country blocking?

You might want to start with looking in the email logfiles, if those mails are coming to your mail protection at all, then that's the place where you should find them. If not, then look in firewall logs.

Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.
Cancel
Vote Up 0 Vote Down

Cancel
0 John Lynch over 5 years ago in reply to apijnappels

Yes I have looked in the log files. They're not reaching my mail server (unless I disable the sophos filtering completely) and nor are they in the sophos logs.

I would have expected to see them in the sophos mail log and the fact I couldn't made me think that it mustn't be my end. However the second I disable sophos email protection the e-mails start coming through which would indicate it is sophos.
Cancel
Vote Up 0 Vote Down

Cancel
0 John Lynch over 5 years ago in reply to DouglasFoster

Thank you very much. That has started helping the problem. I turned off country blocking for Russian Federation and that allowed the mail.ru e-mails to come through.

However under my exceptions tab for country blocking I do have the following rule:

Exceptions List:

Region: All regions

Countries: originally it said any or all, but I have changed this to manually list all of the countries instead hoping that would make a difference.

For all request: going to these

Host/Network: Any

Using these Services: DNS, HTTP(S), SMTP, SMTP SSL and SMTP TLS

I would expect the above rule to exempt country blocking from being used on e-mails. Is there another protocol I'm not including?

UTM is our firewall and we do not have any cloud based mail filtering.
Cancel
Vote Up 0 Vote Down

Cancel
0 DouglasFoster over 5 years ago in reply to John Lynch
Here are the tricks with Country Blocking Exceptions:

1) The country list

If the specified network object is internal, you MUST include a country list.

If the specified network object is external, the country list MUST BE EMPTY.

2) The internal target

When the specified network object is internal, it might be necessary to include both the destination address and the UTM interface address on which it arrives. I have not tested this enough to be certain, but it is usually harmless to include both.

Examples:

Applying these principles to a Country Blocking Exception for mail.ru:

You can allow mail from ALL Russian sources by specifying a Country Blocking Exception like this:
ToAddress=<MX address>, Target Port=25, Country=Russia.

But to ONLY allow mail from the mail.ru email domain requires knowing their IP Addresses. The Country Blocking Exception will look something like this:
FromAddress=<mail.ru SPF address list>, Target Port=25, Country=NONE

These exceptions only let the message through Country Blocking. SMTP Filtering rules will still be evaluated after traffic is allowed past this layer.
Cancel
Vote Up 0 Vote Down

Cancel
0 Ol Deda over 5 years ago in reply to DouglasFoster

You are misleading. Transparent mode is the most protection you can get

In Exception Internal interface is subject only for outgoing trrafic, and will never used for incoming traffic since nobody knows your internal IP's
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 5 years ago in reply to John Lynch

In general, all dedicated mail servers, internal or external, work with the approach in Basic Exchange setup with SMTP Proxy. I recommend against using Transparent for anything other than debugging a problem as leaving it enabled means that an infected machine in your network that's a spambot could quickly get you blacklisted.

Instead of 'Host/Network: Any', in the place of "Any," I would use a group of the "(Address)" objects on your WAN port(s). Including DNS and HTTP/S shouldn't be necessary for this purpose.

Cheers - Bob
PS Moved this thread to the Mail forum.

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 Ol Deda over 5 years ago in reply to BAlfson

BAlfson said:

I recommend against using Transparent for anything other than debugging a problem as leaving it enabled means that an infected machine in your network that's a spambot could quickly get you blacklisted.

Did you forget on purpose "Who can Relay in the Sytem" Bob?

Host-based Relay
Cancel
Vote Up 0 Vote Down

Cancel
0 DouglasFoster over 5 years ago in reply to BAlfson

See if I understand the last part of this correctly:

The SMTP Proxy has an "Allowed Relay Hosts" list. If "authenticated SMTP" is disabled, the devices in the "Allowed Relay Hosts" list are the only ones allowed to send to exterral email addresses.

In Transparent Mode, UTM is not acting as a relay, so does this mean that the "Allowed Relay Hosts" list is not applicable and not enforced?

Here are some model configurations based on the above:

1) Both modes: Block incoming SMTP from the outside to non-MX public IP addresses.

DNAT From <Any> TO <Non-MX public IP address list> Port 25 Reconfigure destination as <Dead-End-Address> port 25

2a) Standard SMTP Mode: Block outbound email not routing through UTM SMTP Proxy

Firewall From ANY to ANY port 25 Action=BLOCK

2b) Transparent SMTP Mode: Block outbound email form unauthorized internal senders

Need a NAT rule to allow outbound from trusted senders, then a dead-end rule to block all other internal addresses / private IPs. Not sure I know how to do this.

Is 2B the core of the problem with Transparent SMTP?
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 5 years ago in reply to Ol Deda

I haven't experimented with it in probably 10 years, but I think it allows all internal devices to relay off the Proxy. Could you test that for us, Olsi?

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 Ol Deda over 5 years ago in reply to BAlfson

No for sure. You will get "Relay not Permited"

And with "autenticated users" (send connector from exchange with authentication), only Exchange or Mail Program in that computer can send emails, not the computer or the virus in it.

I use in this way not only home, but in my work with 200 devices behind

My colegue plays all days with firewall rules. The only think it is not allowed to do is Mail Protection and our work IP is clean
Cancel
Vote Up 0 Vote Down

Cancel
0 Ol Deda over 5 years ago in reply to DouglasFoster

In transparent mode, you can delete any rule in firewall and DNAT regarding SMTP. In this way it becomes Mail Protection, not just a proxy/scanner

In my enviroment:

Under Relay tab I dont have any host. I just have a user in exchange, that is configured in the send connectoe too. The Exchange has no dns configured too because leaves the email to be handled by. UTM. I can even restart the exchange and not lose incoming mails. Once connected UTM wil deliver spooled emails to exchange, you cant do this in standart mode

The IT nightmare is to get Blacklisted. I can play all the day with Smtp in firewall rules in this way
Cancel
Vote Up 0 Vote Down

Cancel
0 Ol Deda over 5 years ago in reply to DouglasFoster

Douglas you have to skip the internal host from Transparent, after that it will be subject of firewall/dnat rules.

Simple test: make a rule in firewall to allow a particular host reach any in port 25

Without Skip, telnet anymailserver 25. And see who will respond

With Skip and firewall rule on telnet the mailserver again.

This will clarify you a bit
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Ol Deda over 5 years ago in reply to DouglasFoster

Douglas you have to skip the internal host from Transparent, after that it will be subject of firewall/dnat rules.

Simple test: make a rule in firewall to allow a particular host reach any in port 25

Without Skip, telnet anymailserver 25. And see who will respond

With Skip and firewall rule on telnet the mailserver again.

This will clarify you a bit
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data