This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

MTA sophos UTM 9 ???

Hi,

Can i set up feature Email Protect of UTM 9 as MTA (mail tranfer agent) ?

I just set up zimbra mail server, i see feature Email Protect on my sophos UTM 9, can i use Email Protect feature for my server zimbra and HOW?

I try follow this topic ( https://community.sophos.com/products/unified-threat-management/f/mail-protection-smtp-pop3-antispam-and-antivirus/48998/how-to-setup ) but not success

Please help me!

Thank You.



This thread was automatically locked due to age.
  • Hey, Tam.

    I wouldn't call it MTA, but you can set UTM to filter incoming and outgoing mail for spam and malware. It would roughly be something like:

    Incoming: Internet SMTP -> UTM -> Zimbra - Client IMAP/POP/ZCO

    Outgoing: Clinet SMTP -> Zimbra -> UTM -> Internet SMTP

    So, in a nutshell, you MX record would point to your UTM's external interface. You would configure UTM to accept messages that are addressed to your domain and relay them to your Zimbra server. That way messages would be accepted and filtered by UTM and then delivered to Zimbra. From there is pretty much business as usual, with your Zimbra server accepting and storing the filtered messages and allowing clients to connect and retrieve messages through IMAP/POP/ZCO.

    For the other way around you will need to configure Zimbra to use UTM as a smart host. That way UTM would filter outgoing messages for spam and malware as well, delivering them to the remote servers afterwards.

    The article you provided cover all the basics necessary to get things going. But the UTM is not an MTA, so it will not allow clients to connect to it for sending and receiving messages. For that you do need to find a way for:

    a) Clients inside you network to connect to the Zimbra server for sending and receiving messages

    b) Clients outside your network to connect to the Zimbra server for sending and receiving messages

    My approach is usually to have a single hostname for MX, IMAP/S, POP/S, and SMTP/S and point it to a valid external IP on which the UTM would listen on. That would allow for a simpler configuration of the clients. I then use something called "Split DNS" to accomplish "a". For "b", a DNAT rule forwarding Submission, POP3S and IMAPS from the external interface to your internal Zimbra server would suffice. For example, assuming you would use something like "mail.domain.com" as the hostname:

    For external users, mail.domain.com would resolve to a routable IP address on your WAN. That would be the IP of one of the UTM's external interfaces. SMTP messages sent on port 25 would be accepted, filtered and delivered to Zimbra. For allowing clients outside your network to send and receive messages, you could create a DNAT rule forwarding packets received on this external IP on ports 587 (mail Submission over TLS), 993 (IMAPS) and 995 (POP3S) to your Zimbra server internal IP. 

    For internal users, you could create a zone on your internal DNS pointing mail.domain.com to your Zimbra server internal IP. That's split DNS: on the outside, mail.zimbra.com resolves to your external IP (UTM in this case) while on the inside it resolves to your Zimbra server. That way no matter if the users are inside or outside your network, the mail client would just work.

    Hope it helps.

    Regards,

    Giovani

  • Hi Giovani,

    Thank you so much, i did follow your guide, and i can recive mail and sent mail for local domain.

    But i can't sent mail to orther domain (outgoing mail internet) as gmail, when sent mail i receive error 

     

    This is the mail system at host mail.mydomain.vn.

    I'm sorry to have to inform you that your message could not
    be delivered to one or more recipients. It's attached below.

    For further assistance, please send mail to postmaster.

    If you do so, please include this problem report. You can
    delete your own text from the attached returned message.

                       The mail system

    <xxxxx@gmail.com>: mail for [IP internet interface of firewall ] loops back to myself

     

    Hope you can help me

    Thank you.

  • Delete Zimbra in Upstream Hosts

  • yes this oke thank you

    but now i get new error when i sent mail to gmail or orther domain

    <xxxxxx@gmail.com>: host 113.161.225.241[113.161.225.241] said: 550   Relay not permitted (in reply to RCPT TO command)

    with 113.161.225.241 is ip internet interface of sophos UTM 9

    error in log file

    2017:11:08-08:54:48 asg225241 exim-in[5600]: 2017-11-08 08:54:48 SMTP connection from [113.161.225.241]:38588 (TCP/IP connection count = 1)
    2017:11:08-08:54:48 asg225241 exim-in[4472]: 2017-11-08 08:54:48 H=(mail.[mydomain].vn) [113.161.225.241]:38588 F=<thanhtam@mail.[mydomain].vn> rejected RCPT <xxxxxxx@gmail.com>: Relay not permitted 2017:11:08-08:54:48 asg225241 exim-in[4472]: 2017-11-08 08:54:48 SMTP connection from (mail.[mydomain].vn) [113.161.225.241]:38588 closed by DROP in ACL

    Thank you so much!

  • In Advanced Tab, put Zimbra in allowed relay

  • sorry i don't see  where to allowed relay?

  • when i unstick Use transparent mode i recieve error mail for 113.161.225.241 loops back to myself

    sitck use transparent mode is not permit 

    @@

    what my problem ????

  • My fault.

    Under Relaying Tab: -> Host-Based Realy

  • Unknown said:

    My fault.

    Under Relaying Tab: -> Host-Based Realy

     

    oh yeah it worked for me haha

    now i can sent and recieve email hahaha.

    thank you so much