Confused

hi, your post is slightly confusing.

From what I'm reading, you have:

1. Internal - an exchange server. I'd imagine that all internal client connect and use this?

2. your exchange server forwards to the UTM for outgoing mail and the UTM recieves mail and fowards to exchange for email protection etc

3. Your CEO had another email account (in addition to the exchange account) that uses IMAP/SMTP to access email eg gmail or something similar

4. You are trying to allow this account through the UTM?

If Louis-M is correct in his assumptions, I don't think you need the SNAT rules - a simple firewall rule allowing access from your CEO's PC to the required mailserver using the "Email Messaging" protocol definition should suffice.

1) You dont have to put CEO personal email in Upstream hosts/networks

2) Since the Email Protection is in transparent mode: UTM is the property of Email Protection and you cant do nothing with Firewall or SNAT Rules.
You have to Exclude the CEO ip Under: Advanced>Skip Transparent Mode Hosts/Nets. Then you can play with Firewall Rules

Shaun Raven said:

If Louis-M is correct in his assumptions, I don't think you need the SNAT rules - a simple firewall rule allowing access from your CEO's PC to the required mailserver using the "Email Messaging" protocol definition should suffice.

 

Shaun's advice looks correct to me:

• Get rid of the SNAT rules (I bet they are the culprit of things not working now).
• Your firewall rule 9 is useless since in rule 8 you simply allow any (rule 9 will never be triggered this way), however I would disable rule 8 (with any) and use rule 9 instead. Make sure all required protocols are in the rule (IMAP, SMTP, 

Are you saying that he wants his personal email added to his Microsoft Outlook profile?   This has nothing to do with Email Protection.  Remove everything that you have added

When you add the account, use the option for "Internet email", then type IMAP.

IMAP connection has two parts, IMAP is used for retrieval, SMTP is used for sending.   You need to get correct server names from the hosting service for both protocols.   You should insist on configuring with TLS security.  Secure IMAP uses port 993, and secure SMTP uses 465 or 587.

As long as you have the correct server names and ports, and the ports are not blocked at the firewall, you should be able to connect.

Note, however, that CEOs are the crime world's preferred victim, and UTM is unable to do any filtering of IMAP traffic.  In my experience, the spam filtering of most hosting services leaves much to be desired.  Make an assessment of what happens if he deploys ransomware from his personal email account.   Also ensure that your web filtering is optimized, as a partial defense against hostile email getting through this opening.

DouglasFoster said:

As long as you have the correct server names and ports, and the ports are not blocked at the firewall, you should be able to connect.

This works if Email Protection is in transparent mode?  If not don't mislead or take the confusion in higher level.

This has nothing to do with email protevtion, which operates on port 25 to protect traffic between mail servers.   Connecting Outlook to a mail server is different and usrs different ports.

If the Outlook connection was Pop, then transparent pop would be an option for some protection, but imap is strictly a firewall issue.

80% of the servers are using port 25. If you are correct, one rule "from ceo-ip to any ising service  any, allow" will work

Hi, Russell, and welcome to the UTM Community!

We can't help you until you respond to the comments already made.

Cheers - Bob