E-mail Services Blocked

I am so confused. I have been using the Sophos UTM 9 (at home) for years and have been very satisfied with it. However, very recently something has changed and I have no idea what because the reality is that I make very little changes to the firewall. By that I literally mean like adding Static Mappings to DHCP and updating the firmware.

Anyway, as of about a week ago I can no longer receive work e-mails at home. My Microsoft Outlook client, my cell phone mail client, and OWA will NOT connect. Everything times out. No matter what I do.

Keep in mind that my devices have always been in a "Bypass Firewall" group due to that whole debacle and workaround to get Netflix and other services workings, from years ago. The only way for me to receive e-mail while at home is by (1) connecting my laptop to my work VPN and (2) disconnecting my cell phone from my wireless network.

Please advise. Thanks.

  • Do you see anything related to those accesses in the Firewall or Web Filtering logs?

    Cheers - Bob

  • In reply to BAlfson:

    No. That is part of the confusion. The fact that I am already bypassing the firewall for my devices, there is nothing (at least as logs are concerned) being blocked. It simply does not work.

  • In reply to Juscelino:

    Hi Juscelino,

    Please make sure to have the logging option enabled and to set it on the first position of your Firewall Rules

    to see allowed traffic processed by your Bypass rule (per default you'll only see droped traffic).

    if you temporarily create a "Lan to Internet Allow Any, Log enabled" at the top of your rules you should be able to see the traffic caused by your devices.

    if we know if and what traffic happens we should be able to see why it don't work.

     

    Yours Lukas

  • In reply to lna:

    Thank you for the suggestion. I created the rule. Does the following image of my firewall log help?

  • In reply to Juscelino:

    Hi Juscelino,

    if you are not an google employee than this is not your work public ip.

    the Subnet 172.217.0.0/16 is owned by google, are you using Gmail-Pro at work?

    if not, we don't see any mail related traffic in this log.

    is there anything in IPS log?

     

    Yours Lukas

     

  • In reply to lna:

    Lukas,

    I know for a fact that our e-mails flow via Google, including SMTP relay and incoming messages. However, I also know for a fact that we connect all clients directly to an in-house Exchange Server. So my "rejections" are for certain to our in-house Exchange Server, located behind a Cisco ASA firewall. I can look around in the Cisco ASA firewall, but I am not an expert and do not know what to look for.

    Here is the only thing that I see in my IPS log:

    2018:01:11-21:22:06 techjuice ulogd[16448]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth0" srcmac="00:cc:fc:60:28:1a" dstmac="00:26:5a:05:b7:a7" srcip="172.217.12.142" dstip="69.125.131.26" proto="17" length="1378" tos="0x00" prec="0x00" ttl="58" srcport="443" dstport="53046"
    2018:01:11-21:22:06 techjuice ulogd[16448]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth0" srcmac="00:cc:fc:60:28:1a" dstmac="00:26:5a:05:b7:a7" srcip="172.217.12.142" dstip="69.125.131.26" proto="17" length="1378" tos="0x00" prec="0x00" ttl="58" srcport="443" dstport="53046"
    2018:01:11-21:22:06 techjuice ulogd[16448]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth0" srcmac="00:cc:fc:60:28:1a" dstmac="00:26:5a:05:b7:a7" srcip="172.217.12.142" dstip="69.125.131.26" proto="17" length="1378" tos="0x00" prec="0x00" ttl="58" srcport="443" dstport="53046"
    2018:01:11-21:22:07 techjuice ulogd[16448]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth0" srcmac="00:cc:fc:60:28:1a" dstmac="00:26:5a:05:b7:a7" srcip="172.217.12.142" dstip="69.125.131.26" proto="17" length="1378" tos="0x00" prec="0x00" ttl="58" srcport="443" dstport="53046"
    2018:01:11-21:22:07 techjuice ulogd[16448]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth0" srcmac="00:cc:fc:60:28:1a" dstmac="00:26:5a:05:b7:a7" srcip="172.217.12.142" dstip="69.125.131.26" proto="17" length="1378" tos="0x00" prec="0x00" ttl="58" srcport="443" dstport="53046"
    2018:01:11-21:22:07 techjuice ulogd[16448]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth0" srcmac="00:cc:fc:60:28:1a" dstmac="00:26:5a:05:b7:a7" srcip="172.217.12.142" dstip="69.125.131.26" proto="17" length="1378" tos="0x00" prec="0x00" ttl="58" srcport="443" dstport="53046"
    2018:01:11-21:22:07 techjuice ulogd[16448]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth0" srcmac="00:cc:fc:60:28:1a" dstmac="00:26:5a:05:b7:a7" srcip="172.217.12.142" dstip="69.125.131.26" proto="17" length="1378" tos="0x00" prec="0x00" ttl="58" srcport="443" dstport="53046"
    2018:01:11-21:22:07 techjuice ulogd[16448]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth0" srcmac="00:cc:fc:60:28:1a" dstmac="00:26:5a:05:b7:a7" srcip="172.217.12.142" dstip="69.125.131.26" proto="17" length="1378" tos="0x00" prec="0x00" ttl="58" srcport="443" dstport="53046"
    2018:01:11-21:22:07 techjuice ulogd[16448]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth0" srcmac="00:cc:fc:60:28:1a" dstmac="00:26:5a:05:b7:a7" srcip="172.217.12.142" dstip="69.125.131.26" proto="17" length="1378" tos="0x00" prec="0x00" ttl="58" srcport="443" dstport="53046"
    2018:01:11-21:22:08 techjuice ulogd[16448]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth0" srcmac="00:cc:fc:60:28:1a" dstmac="00:26:5a:05:b7:a7" srcip="172.217.12.142" dstip="69.125.131.26" proto="17" length="1378" tos="0x00" prec="0x00" ttl="58" srcport="443" dstport="53046"
  • In reply to Juscelino:

    Interesting.  Try doubling the packets/second rates for UDP flooding on the 'Anti-DoS/Flooding' tab.  Does that fix your problem?

    Cheers - Bob

  • In reply to BAlfson:

    I completely disabled UDP Flood Protection and same results.

  • In reply to Juscelino:

    That's not possible.  If UDP Anti-flooding is disabled, you won't have any blocks due to UDP flooding in the Intrusion Prevention log.

    Cheers - Bob

  • In reply to BAlfson:

    Bob - I get what you are saying regarding disabling UDP Flood Protection. I did try doubling those rates and nothing changed. Any other ideas? I am so lost. This is so inconvenient.

  • In reply to Juscelino:

    Everyone - I am embarrassed to admit this, but you all deserve the truth. LOL. I have resolved my issue and it has nothing to do with my Sophos UTM. Although I suspected this from the beginning, I thought that it involved my work Cisco ASA. That was not it either. My issue was our web filtering system at work. We use iboss and for whatever reason I never suspected that it would suddenly start blocking my home traffic.

    I guess it is good to be in charge of our network and able to resolve these issues with no questions asked. :-) Thank you all for your time.