smtp.office365.com - fw rule

Hello MOl,

Thank you for reaching out to the community, ensure the fw rule created is on the top !
You can also add them into the exceptions:
1.) Office 365 URLs and IP address ranges - https://docs.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide
2.) Configure web exceptions for Office 365 - https://support.sophos.com/support/s/article/KB-000038173?language=en_US

Hello #Vivek,

I already have this and do not have any affect.

Main problem is that firewall rule (with fqdn "smtp.office365.com as destination) will not match all IPs from dns resolve of fqdn "smtp.office365.com"

MOl

okay MOl, noted but have you created a LINKED NAT in the current FW rule with MASQ?

Of course NAT is already in place, becouse some email can pass....

Main problem is that firewall rule (with fqdn "smtp.office365.com as destination) will not match some IPs from dns resolve of fqdn "smtp.office365.com"

Can you perform this steps:
nslookup smtp.office365.com
Domain Name Server# 127.0.0.1
Domain Name # smtp.office365.com
Resolved Address 1# outlook.office365.com.
Resolved Address 1# outlook.ha.office365.com.
Resolved Address 1# outlook.ms-acdc.office.com.
Resolved Address 1# bom-efz.ms-acdc.office.com.
Resolved Address 1# 40.99.9.50
Resolved Address 2# 52.98.58.34
Resolved Address 3# 52.98.123.226
Resolved Address 4# 40.99.9.178
Total query time # 58.80 msec
Domain Name # smtp.office365.com
Resolved Address 1# 2603:1046:c04:83a::2
Resolved Address 2# 2603:1046:c04:80d::2
Resolved Address 3# 2603:1046:c04:818::2
Resolved Address 4# 2603:1046:c04:800::2
Total query time # 21.21 msec
===============================
telnet smtp.office365.com 587
Trying 40.100.141.162...
Connected to smtp.office365.com.
Escape character is '^]'.
220 BMXP287CA0013.outlook.office365.com Microsoft ESMTP MAIL Service ready at Thu, 18 Aug 2022 08:02:35 +0000
helo localhost
250 BMXP287CA0013.outlook.office365.com Hello [103.250.31.36]
================================
And if you want to resolve this with the specific DNS then you may execute the following command: nslookup smtp.office365.com <DNS IP>
=================================
between what is the DNS config on the client machine IP: 10.0.84.20 ? 

server 10.0.84.20 use sohosFW as DNS server

So can you perform the nslookup and telnet output from that client machine and start the tcpdump packet capture + diagnostics > packet capture...

Everytime i use "nslookup smtp.office365.com" I will get different result.

C:\Users\Administrator>nslookup smtp.office365.com
Server: UnKnown
Address: 10.0.84.1

Non-authoritative answer:
Name: fra-efz.ms-acdc.office.com
Addresses: 2603:1026:c03:6470::2
2603:1026:c0d:34::2
2603:1026:c03:6466::2
52.97.157.162
52.98.208.66
52.97.149.242
Aliases: smtp.office365.com
outlook.office365.com
outlook.ha.office365.com
outlook.ms-acdc.office.com

C:\Users\Administrator>
C:\Users\Administrator>
C:\Users\Administrator>
C:\Users\Administrator>
C:\Users\Administrator>
C:\Users\Administrator>
C:\Users\Administrator>
C:\Users\Administrator>
C:\Users\Administrator>
C:\Users\Administrator>
C:\Users\Administrator>
C:\Users\Administrator>
C:\Users\Administrator>nslookup smtp.office365.com
Server: UnKnown
Address: 10.0.84.1

Non-authoritative answer:
Name: hhn-efz.ms-acdc.office.com
Addresses: 2603:1026:c0d:c02::2
2603:1026:c0d:c1c::2
2603:1026:c0d:82d::2
2603:1026:c0d:82b::2
52.98.152.162
40.99.150.34
40.99.214.34
52.98.175.2
Aliases: smtp.office365.com
outlook.office365.com
outlook.ha.office365.com
outlook.ms-acdc.office.com

C:\Users\Administrator>nslookup smtp.office365.com
Server: UnKnown
Address: 10.0.84.1

Non-authoritative answer:
Name: outlook-g.trafficmanager.net
Addresses: 2603:1026:208:85::2
2603:1026:c02:4012::2
2603:1026:c03:6807::2
2603:1026:c0a:8f6::2
2603:1026:300:c8::2
2603:1046:c0f:40e::2
2603:1026:c03:581b::2
2603:1026:6:2a::2
40.99.150.2
40.99.150.18
40.99.150.50
52.98.152.178
Aliases: smtp.office365.com
outlook.office365.com
outlook.ha.office365.com
outlook.ms-acdc.office.com
hhn-efz.ms-acdc.office.com
outlook-fs.office.com

C:\Users\Administrator>nslookup smtp.office365.com
Server: UnKnown
Address: 10.0.84.1

Non-authoritative answer:
Name: outlook-g.trafficmanager.net
Addresses: 2603:1026:208:85::2
2603:1026:c02:4012::2
2603:1026:c03:6807::2
2603:1026:c0a:8f6::2
2603:1026:300:c8::2
2603:1046:c0f:40e::2
2603:1026:c03:581b::2
2603:1026:6:2a::2
52.98.175.2
40.101.126.210
40.101.84.2
52.98.18.18
52.98.154.146
52.97.171.194
52.97.146.2
40.99.26.210
Aliases: smtp.office365.com
outlook.office365.com
outlook.ha.office365.com
outlook.ms-acdc.office.com
HHN-efz.ms-acdc.office.com
outlook-fs.office.com

C:\Users\Administrator>

same with telnet test. With every test i will get different IP address. 

This is OK.

Hello MOl, 

Can you hover the mouse on the firewall logo and share the screenshot ?

hey MOl, Can you check the web policy applied in the FW rule as it says: "Deny all"

hey MOl, Can you check the web policy applied in the FW rule as it says: "Deny all"

why? this is last fw rule for logging remain non-allowed traffic.

"DenyAll" is simple Drop "Any" "Any" rule.

you can see full seqvence

         - #136 TCP:587 destination "smtp.office365.com"

         - # 62  TCP:587 destination "any" - temporary rule becouse rule #136 is not working correctly

         - # 1 "DennyALL" logging remain non-allowed traffic

Hi,

on my XG, 587 was not part of the smtps service definition, I had to add it.

ian

my XGS already have this definition.

I've seen this behaviour a couple of times, I tried finding the cause with the help of Sophos Support but it proved fruitless. It didn't happen often enough to justify spending the time debugged the logs - we just switched to use the IP ranges on the firewall rule and moved on with life. Probably not the silver bullet you were hoping for,..

Regards