This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SMTP Proxy listen on sub interface only?

We're looking at limiting the smtp proxy listening on all interfaces. Now I can see that it can be limited to x interface/s but can it be limited to a sub interface ie an additonal IP

eg. eth0 = WAN 2.2.2.2/27 with addtional IP's of 2.2.2.3, 2.2.2.4 etc

Can it be limited to above example 2.2.2.4 or will it just simply listen on all IP's on that /27 subnet?



This thread was automatically locked due to age.
  • Hi Louis,

    Two NAT rules, in order:

    NONAT : Internet -> {25, 465, 587} -> {2.2.2.4}
    DNAT : Internet -> {25, 465, 587} -> External (Network) : to {240.0.0.1}

    That blackholes all SMTP traffic to the other IPs.  Is that what you were looking for?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Not quite sure there Bob.

    This is for the SMTP proxy on the UTM which by default, listens on ALL interfaces. We have a WAN with a /27 so the WAN has one IP with the other IP's as additional IP's.

    Going into the SMTP proxy on the UTM, we can select a unique interface but it only allows the primary interface IP or other interfaces eg vlans.

    It doesn't allow you to select the additional IP's on the primary interface.

  • Online Help:

    Listen Interfaces

    By default, the SMTP proxy listens on all interfaces on ports 25, 465, and 587 for incoming email traffic.

    To listen only on particular interfaces, select the option Custom Interfaces and add interfaces to the Allowed Interfaces box. Click Apply.

     

    Seems like it is only the WAN Interface object. So you should be able to add the Alias Interface there,. 

    __________________________________________________________________________________________________________________

  • It can be made to listen on any custom interface only. But it can only be limited to listen on the primary IP of that interface, not just listen on an additional IP on that interface only.

    So it appears to be a little limited eg in the above example, you can get it to listen only on 2.2.2.2/27 (Primary IP of the interface) but not listen only on 2.2.2.3 or 2.2.2.4 (additional IP's of the interface).

  • Cool, Tony - I didn't see when that was added.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Did you try the NAT rules, Louis?  According to #2 in Rulz (last updated 2019-04-17), the DNAT should blackhole traffic on other IPs before the traffic can reach the SMTP Proxy.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    I do believe it may have worked. A little more testing but it's looking promising. I'm wondering if I can put all of those IP's into a group and just have the one DNAT rather than multiple DNAT's for each addtional IP:

    eg:

    traffic from: any
    using: smtp
    Going to: <<<Group with all addtional interface IP's>>>
    Change detination to: Blackhole IP

    And is it nessecary to create a firewall rule or automatic firewall rule for this or should you just not create a firewall rule?

  • Brill.... it worked a treat. SMTP only replying from 1 IP address now instead of from all additional IP's as well.

    Cheers Bob