This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

E-mail Services Blocked

I am so confused. I have been using the Sophos UTM 9 (at home) for years and have been very satisfied with it. However, very recently something has changed and I have no idea what because the reality is that I make very little changes to the firewall. By that I literally mean like adding Static Mappings to DHCP and updating the firmware.

Anyway, as of about a week ago I can no longer receive work e-mails at home. My Microsoft Outlook client, my cell phone mail client, and OWA will NOT connect. Everything times out. No matter what I do.

Keep in mind that my devices have always been in a "Bypass Firewall" group due to that whole debacle and workaround to get Netflix and other services workings, from years ago. The only way for me to receive e-mail while at home is by (1) connecting my laptop to my work VPN and (2) disconnecting my cell phone from my wireless network.

Please advise. Thanks.



This thread was automatically locked due to age.
Parents Reply Children
  • Hi Juscelino,

    Please make sure to have the logging option enabled and to set it on the first position of your Firewall Rules

    to see allowed traffic processed by your Bypass rule (per default you'll only see droped traffic).

    if you temporarily create a "Lan to Internet Allow Any, Log enabled" at the top of your rules you should be able to see the traffic caused by your devices.

    if we know if and what traffic happens we should be able to see why it don't work.

     

    Yours Lukas

    lna@cema

    SCA (utm+xg), SCSE, SCT

    Sophos Platinum Partner

  • Thank you for the suggestion. I created the rule. Does the following image of my firewall log help?

  • Hi Juscelino,

    if you are not an google employee than this is not your work public ip.

    the Subnet 172.217.0.0/16 is owned by google, are you using Gmail-Pro at work?

    if not, we don't see any mail related traffic in this log.

    is there anything in IPS log?

     

    Yours Lukas

     

    lna@cema

    SCA (utm+xg), SCSE, SCT

    Sophos Platinum Partner

  • Lukas,

    I know for a fact that our e-mails flow via Google, including SMTP relay and incoming messages. However, I also know for a fact that we connect all clients directly to an in-house Exchange Server. So my "rejections" are for certain to our in-house Exchange Server, located behind a Cisco ASA firewall. I can look around in the Cisco ASA firewall, but I am not an expert and do not know what to look for.

    Here is the only thing that I see in my IPS log:

    2018:01:11-21:22:06 techjuice ulogd[16448]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth0" srcmac="00:cc:fc:60:28:1a" dstmac="00:26:5a:05:b7:a7" srcip="172.217.12.142" dstip="69.125.131.26" proto="17" length="1378" tos="0x00" prec="0x00" ttl="58" srcport="443" dstport="53046"
    2018:01:11-21:22:06 techjuice ulogd[16448]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth0" srcmac="00:cc:fc:60:28:1a" dstmac="00:26:5a:05:b7:a7" srcip="172.217.12.142" dstip="69.125.131.26" proto="17" length="1378" tos="0x00" prec="0x00" ttl="58" srcport="443" dstport="53046"
    2018:01:11-21:22:06 techjuice ulogd[16448]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth0" srcmac="00:cc:fc:60:28:1a" dstmac="00:26:5a:05:b7:a7" srcip="172.217.12.142" dstip="69.125.131.26" proto="17" length="1378" tos="0x00" prec="0x00" ttl="58" srcport="443" dstport="53046"
    2018:01:11-21:22:07 techjuice ulogd[16448]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth0" srcmac="00:cc:fc:60:28:1a" dstmac="00:26:5a:05:b7:a7" srcip="172.217.12.142" dstip="69.125.131.26" proto="17" length="1378" tos="0x00" prec="0x00" ttl="58" srcport="443" dstport="53046"
    2018:01:11-21:22:07 techjuice ulogd[16448]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth0" srcmac="00:cc:fc:60:28:1a" dstmac="00:26:5a:05:b7:a7" srcip="172.217.12.142" dstip="69.125.131.26" proto="17" length="1378" tos="0x00" prec="0x00" ttl="58" srcport="443" dstport="53046"
    2018:01:11-21:22:07 techjuice ulogd[16448]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth0" srcmac="00:cc:fc:60:28:1a" dstmac="00:26:5a:05:b7:a7" srcip="172.217.12.142" dstip="69.125.131.26" proto="17" length="1378" tos="0x00" prec="0x00" ttl="58" srcport="443" dstport="53046"
    2018:01:11-21:22:07 techjuice ulogd[16448]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth0" srcmac="00:cc:fc:60:28:1a" dstmac="00:26:5a:05:b7:a7" srcip="172.217.12.142" dstip="69.125.131.26" proto="17" length="1378" tos="0x00" prec="0x00" ttl="58" srcport="443" dstport="53046"
    2018:01:11-21:22:07 techjuice ulogd[16448]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth0" srcmac="00:cc:fc:60:28:1a" dstmac="00:26:5a:05:b7:a7" srcip="172.217.12.142" dstip="69.125.131.26" proto="17" length="1378" tos="0x00" prec="0x00" ttl="58" srcport="443" dstport="53046"
    2018:01:11-21:22:07 techjuice ulogd[16448]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth0" srcmac="00:cc:fc:60:28:1a" dstmac="00:26:5a:05:b7:a7" srcip="172.217.12.142" dstip="69.125.131.26" proto="17" length="1378" tos="0x00" prec="0x00" ttl="58" srcport="443" dstport="53046"
    2018:01:11-21:22:08 techjuice ulogd[16448]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth0" srcmac="00:cc:fc:60:28:1a" dstmac="00:26:5a:05:b7:a7" srcip="172.217.12.142" dstip="69.125.131.26" proto="17" length="1378" tos="0x00" prec="0x00" ttl="58" srcport="443" dstport="53046"
  • Interesting.  Try doubling the packets/second rates for UDP flooding on the 'Anti-DoS/Flooding' tab.  Does that fix your problem?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I completely disabled UDP Flood Protection and same results.

  • That's not possible.  If UDP Anti-flooding is disabled, you won't have any blocks due to UDP flooding in the Intrusion Prevention log.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Bob - I get what you are saying regarding disabling UDP Flood Protection. I did try doubling those rates and nothing changed. Any other ideas? I am so lost. This is so inconvenient.

  • Everyone - I am embarrassed to admit this, but you all deserve the truth. LOL. I have resolved my issue and it has nothing to do with my Sophos UTM. Although I suspected this from the beginning, I thought that it involved my work Cisco ASA. That was not it either. My issue was our web filtering system at work. We use iboss and for whatever reason I never suspected that it would suddenly start blocking my home traffic.

    I guess it is good to be in charge of our network and able to resolve these issues with no questions asked. :-) Thank you all for your time.