This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Authentication doesn't work after switching from DNAT to email protection (cant find server from external network/IP)

Hi all,

 

First off , thanks for your help in advance. So i have a UTM which had a DNAT rule to route mail to the mail server. All was fine. 

But if i enable email protection and disable the DNAT rule (to get mail monitoring,stats etc working), my email only works from internal networks!
i can receive mail fine, i can send mail fine (form webmail). But when i try to open outlook from my laptop or fetch mail from my phone , it will not let me authenticate or will not find the mail server to authenticate to. 

So from internal network all is fine. When i come from another IP from outside, i cant get mail working through sophos email protection. Only with a DNAT rule , then all works fine inside and outside, but then the email protection and monitoring and stats etc won't work because all the traffic seems to get routed around it then. Or do i have to set something else up to get the NAT routed traffic through email protection?

It looks to me that when DNAT rule is disabled, the traffic does not know where to go to authenticate.

Any idea what i'm overlooking?

 

Thanks again!

 

 

greets, Jerome



This thread was automatically locked due to age.
Parents
  • Assuming you chose Standard Mode (which Inormally recommend), UTM takes control of the IP address associated with your MX record.   To connect to the mail server instead of UTM, you need:

    • a separate IP address for the mail server, or
    • web application firewall protecting the mail server

    I do not believe there is any way to share an IP address between UTM-destined services (e.g. SMTP or WAF) with NAT destinations.

    If you only have one IP address, you can probably solve your problem by re-enabling NAT and enabling SMTP protection in transparent mode.

  • thank you for you answer! Sorry i had to clarify i have the WAP setup for the email server to so users can login to webmail. And that works fine with and without the NAT rule. But without the NAT rule users can't authenticate from outside network.

    Just noticed my phone tells me it can't reach the server if i turn the NAT off and see email coming over Email Protection without NAT. 

     

    Cheers again for the help!

     

    Greetings.

     

     

    p.s. maybe some more info:

    smtp sends on: 587 STARTTLS

    email server: iredmail (so no Exchange)

  • Hoi Jerome and welcome to the UTM Community!

    Since you were probably composing your post when jmu posted above, you may have missed it.  First, follow the link he provided and I think you'll understand why your configuration didn't do what you need and how to resolve it.  Any better luck?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • How do clients fetch mails from this iredmail server? I'm guessing IMAP or POP? If IMAP the email protection doesn't cover that so you'd still need a firewall / DNAT rule. For POP, the email protection has a proxy, although from what I've read it's a bit finicky to setup.

  • I configured POP3 filtering and found it pretty straightforward, nothing tricky or unstable.    We had a small group of users who needed to connect from internal devices to an externally hosted email service.

    We had already deployed the UTM CA certificate to support web filtering, so my POP3 proxy was able to filter both secure and insecure POP3 connections.   But of course, POP3 is a pretty inadequate tool, so I do not recommend using it.   It only synchronizes the Inbox and Sent Items, not any user-created folders.   Mercifully, we have finally purged it from our organization. 

    When POP3 Proxy blocks a message, UTM inserts a notification message in its place.    I assume this is necessary to prevent the synchronization process from going crazy, but it also serves as a notification to the user.

    Returning to the original question, incoming POP3 or IMAP cannot work on the same IP address as WAF or Standard Mode SMTP, because IP addresses cannot be shared between UTM-controlled addresses and pass-through addresses.

Reply
  • I configured POP3 filtering and found it pretty straightforward, nothing tricky or unstable.    We had a small group of users who needed to connect from internal devices to an externally hosted email service.

    We had already deployed the UTM CA certificate to support web filtering, so my POP3 proxy was able to filter both secure and insecure POP3 connections.   But of course, POP3 is a pretty inadequate tool, so I do not recommend using it.   It only synchronizes the Inbox and Sent Items, not any user-created folders.   Mercifully, we have finally purged it from our organization. 

    When POP3 Proxy blocks a message, UTM inserts a notification message in its place.    I assume this is necessary to prevent the synchronization process from going crazy, but it also serves as a notification to the user.

    Returning to the original question, incoming POP3 or IMAP cannot work on the same IP address as WAF or Standard Mode SMTP, because IP addresses cannot be shared between UTM-controlled addresses and pass-through addresses.

Children
No Data