This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Outgoing mail (SMTP) blocked by UTM

Hi all,

 

I just restarted using Sophos UTM again. Version 9.408-4

Since then some applications will not run. Where secure services are used with the exception of HTTPs the they run ok. I guess that will be because then traffic is handled by Webprotection.

Sticking with one off these applications being Outlook 2016 Office 365 locally installed.

It doesn't matter using the unsecure or unsecure port of pop3 or smtp.

Incoming traffic works fine, outgoing > no way.

Receiving the following message in live log SMTP proxy:

2016:11:30-21:23:07 sophos-utm exim-out[12998]: 2016-11-30 21:23:07 1cBnUa-0001im-GB mail.x.nl [194.60.207.168]:25 Connection timed out
2016:11:30-21:23:07 sophos-utm exim-out[12997]: 2016-11-30 21:23:07 1cBnUa-0001im-GB == info@x.nl R=dnslookup T=remote_smtp defer (110): Connection timed out
 
I have two mailboxes. I only see these logs from one mailbox.
 
From Support/Tools Ping to the DNS server is OK and DNSlookup is also OK.
 
Live Log IPS:
2016:11:30-20:08:34 sophos-utm snort[5115]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="INDICATOR-COMPROMISE Suspicious .tk dns query" group="241" srcip="MYPC" dstip="DNS-server" proto="17" srcport="51833" dstport="53" sid="39867" class="Misc activity" priority="3" generator="1" msgid="0"
 
I don't think IPS is the problem. Nevertheless I 've made an exception for IPS checking on service 25 just to see what happens. No solution.
 
Anyone has ideas to solve this?
 
Thanx Jaap


This thread was automatically locked due to age.
Parents
  • Hi Jaap,

    Just disable the SMTP Proxy as it is not meant to work in this way.  You just need a firewall rule like:

    Internal (Network) -> Email Messaging -> Internet : Allow

    Are things working now?  If not, try #1 in Rulz.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    I 've disabled not only SMTP proxy, but by now only running are Firewall with any>any-any rule, wenfiltering, antivirus for HTTP/S an antispyware.

    And still I 'm not able to send or even receive mail now.

    What is weird that with Wireshark on my PC traffic towards the external mail servers was not trapped, nor were the tcp-ports configured/used by Outlook.

    As soon as I reverted back to my old Cisco ASA 5505, everything worked fine again. Wireshark showed servers and tcp-ports.

    I know a totally different device, but nevertheless.

     

    I 've got Bitdefender Total Security 2016 running. Could that be something?

     

    Thanx Jaap

     

  • Did you configure a masquerading rule?


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • "What is weird that with Wireshark on my PC traffic towards the external mail servers was not trapped, nor were the tcp-ports configured/used by Outlook."

    You're saying that the traffic doesn't even reach the UTM's LAN interface?  If you put the same IP on that interface as on the corresponding one on the ASA, then, after you reconnect the UTM, you will want to reboot any switches in your LAN to force them to clear their ARP tables.

    Was that all it was?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    It would have been great. But no.

    Off course there is some delay in Internet access for a few minutes if you don't flush ARP.

    Here 's what I did:

     

    After switch from ASA to UTM:
    - PC arp -d IP of ASA
    - Flush on switch of ARP table. Also did a reboot.
    Checked via ARP -a ip-address and mac-address. On UTM > Interfaces > hardware > Yes mac on IP is UTM.
    Bitdefender all modules put off.
    Wireshark: Query DNS for mail servers is performed and answered by/through UTM to PC with correct ip-address. Check with nslookup
     
    Test on Outlook PC via myname@outlook.com is succesfull. Mail arrives in inbox at provider (webmail)
    Use other accounts result stuck.
     
    Errors in Oulook
    0x80042108
    0x80042109
     
    Live log SMTP proxy (OFF): x@x.x.x R=dnslookup T=remote_smtp defer (-53): retry time not reached for any host
    Still only few options UTM active. No mail stuff or anti-spam.

    Ended Outlook.

    Connected ASA

    Bitdefender ON all options

    DNS on PC. After Internet was available.

    Started Outlook. All messages in Outlook and waiting there outside - sent and received.

    Thanx Jaap

  • It's difficult to tell where your configuration error is.

    I'm still not clear on whether the traffic from your PC was reaching the LAN interface of the UTM.  Rather than Wireshark on the PC, try tcpdump on the UTM.  Assuming your PC is at 172.16.1.101 and your LAN is on eth0:

    tcpdump -n -i eth0 src 172.16.1.101

    Do you see traffic going to the UTM?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • It's difficult to tell where your configuration error is.

    I'm still not clear on whether the traffic from your PC was reaching the LAN interface of the UTM.  Rather than Wireshark on the PC, try tcpdump on the UTM.  Assuming your PC is at 172.16.1.101 and your LAN is on eth0:

    tcpdump -n -i eth0 src 172.16.1.101

    Do you see traffic going to the UTM?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • Hi Bob,

     

    Here is the result of Tcpdump on the UTM:

    19:55:29.760500 IP 'MyIP'.60096 > 'UtmIP'.53: 20+ A? smtp.ziggo.nl. (31)
    19:55:29.761049 IP 'MyIP'.58747 > 'UtmIP'.22: Flags [.], ack 8545, win 2085, length 0
    19:55:29.783202 IP 'MyIP'.58894 > 212.54.42.9.587: Flags [S], seq 3875461336, win 8192, options [mss 1260,nop,wscale 8,nop,nop,sackOK], length 0

    19:55:32.784551 IP 'MyIP'.58894 > 212.54.42.9.587: Flags [S], seq 3875461336, win 8192, options [mss 1260,nop,wscale 8,nop,nop,sackOK], length 0
     
    19:55:37.584707 ARP, Request who-has 'UtmIP' (90:e6:ba:51:10:82) tell 'MyIP', length 46
     
    Greetz Jaap
  • So, do you believe any data reaches the UTM from your PC?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hello Bob,

    Traffic is screaming through the UTM . Everything besides sending or receiving mail.

    Again doesn't matter if I use secure or unsecure ports for smtp or pop3.

    Last thing I've tried is to change the MTU on the UTM to 0 and putting MTU at 1500 on the external interface via Webadmin.

    That hasn't helped either.

    Also tried mail with my laptop. Same problem.

    Saw a post on Realtek NICs, after I reverted to my ASA once again. Any ideas on that?

     

    Greetz Jaap

  • Hi all,

    Finally performed a tcpdump on the outside interface of the UTM.

    See traffic over used ports for email: 110, 587 (provider specific), 993, 25 exiting the outside NIC.

    Logging firewall: traffic allowed. DNS also, no problem.

    Not seeing traffic in Wireshark is a problem within Wireshark itself. Has to to with more avaiable (virtual) NICs. Stop these and Wireshark will work properly.

    My conclusion is that something happens with the packets because my provider, Ziggo, blocks them.

    Greetz Jaap

  • Hi Jaap,

    Ziggo does indeed block outgoing mail other than going to their own mailserver (smtp.ziggo.nl). Outgoing mail to smtp.ziggo.nl should normally work. Also incoming mail (pop3, imap) should work. I use Ziggo myself at my home (consumer Ziggo connection).

    If you really need outgoing port 25 (so your UTM sends out mails not using smtp.ziggo.nl as a smart host), then you need to upgrade to a business Ziggo account.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • Hallo mijnheer Pijnappels,

    Thanx for your reply.

    I partially agree on using port 25 for outgoing mail (smtp). It does work with smtp.ziggo.nl. Not with smtp.casema.nl there it is apparently blocked.

    To avoid discussions with Ziggo my outgoing port is now 587.

     

    But the problem remains the same:

    With the same e-mail properties: username/password, in- and outgoing mailservers and ports

    mail works with pc locally connected to a Cisco ASA 5505 Firewall, modem - Internet

    mail doesn't work with pc locally connected to a Sophos UTM, modem - Internet

    and this is incoming and outgoing mail

    On the outside interface I can see traffic pushed to the modem etc.

    Pffff

    Change it back to the Cisco ASA. Everything works fine again.

     

    Greetz Jaap

  • Jaap, does setting smtp.ziggo.ml as a smart host work?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA