Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 38 subscribers
  • Views 3026 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SOPHOS XG 19.5 SMTP to internal server (NOT DMZ)

Christopher Kurdian

Hey Guys,

New to Sophos XG have read a bit of documentation most of which references, External to DMZ(internal) connection. Not External to Internal Network.

I am familiar with the old Microsoft Firewall where you would create a publishing rule for an exchange server.

I followed the document "Protect Internal mail server in legacy mode" Mar 11 2022..(However I was unable to send or receive email).

I also tried MTA mode. 

No matter what I did at best I could only telnet to internal interface of the firewall on port 25. I could not do this with the external interface of the firewall.

Internal Active Directory email works fine internally. But email is not getting out, nor is email being received. 

I have been using this tool to test, no response from the firewall. 

Network Tools: DNS,IP,Email (mxtoolbox.com)

All I've been getting is:

Connecting to 1XX.1XX.2XX.2XX
2/2/2023 2:55:38 AM Connection attempt #1 - Unable to connect after 15 seconds. [15.04 sec]

LookupServer 15233ms

I've also used. DNS Checker - DNS Check Propagation Tool

My mx record is correct and dns is working fine.

mydomain.com (Is the external reference)

Internally it is subdomain.mydomain.com

The Exchange server accepts mail from mydomain.com and subdomain.mydomain.com (all email however is presented at mydomain.com)

Any help would be greatly appreciated. Is there are document out there or a video that can assist me?

Thanks :-)



This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    have you created a firewall for mail services?

    ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Thanks for your reply, much appreciated. Yes, I did this:

    1. Go to Rules and policies > Firewall rules and click Add firewall rule.

    I read through. all of these:

    Configure protection for cloud-hosted mail server - Sophos Firewall

    I've tried MTA as well as legacy, neither have worked for me.

    From the document they keep mention the mail server in the DMZ. I don't have a DMZ. I have my mail system in the internal network connected to the active directory. I should replace DMZ with the Internal Lan yes?

    Create a firewall rule to allow email traffic

    Create a firewall rule to allow SMTP and SMTPS traffic between the DMZ and WAN zones. You must add these zones to the source and destination zones to allow incoming and outgoing emails.

    1. Go to Rules and policies > Firewall rules and click Add firewall rule.
    2. Under Source zones, select DMZ and WAN.
    3. Under Destination zones, select WAN and DMZ.

    4. Under Services, select SMTP and SMTPS.

      Here's an example:

  • +1 in reply to Christopher Kurdian

    Hello there,

    Is your Sophos Firewall the edge router? Do you see the Sophos Firewall's Public IP in the WAN interface?

    If not, you would need to create also a DNAT rule in your upstream device to allow the traffic to arrive at the Sophos Firewall, also, make sure Port 25 is open by your ISP. 

    You can check by doing a TCPdump on the Firewall on Port 25, listening on the WAN port, and then trying to telnet to it from outside your network on Port 25

    E.G

    # tcpdump -eni Port2 port 25

    (Substitute Port2 for the WAN port of your Sophos Firewall)

    An upstream device blocks traffic if you don't see traffic arriving.

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0 in reply to Christopher Kurdian

    Hi,

    that rule will cause your XG to be a relay.

    Try this version

    Source LAN, network mail server IP or fqdn, destination WAN, ANY, service SMTP/S, allow, log. You can later on when you are happy the rue is working change the rule to scan SMTP/S.

    You can tighten the security by changing the destination network to your external mail service eg mail.ISP.com

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to emmosophos

    Thanks, Emmanuel, for your reply. Yes, it is the edge router and has a Public IP address on the WAN interface (Static public IP provided by the ISP). I am just a home user, but I use my home network to educate myself for work purposes. Didn't think the ISP would be blocking port 25 which might explain my issue. Thank you, will check that out when I get home tonight. 

  • 0 in reply to rfcat_vk

    Thankyou very much for your assistance. Very appreciated. It was ISP blocking the port which was the issue. I called them, they have unblocked all ports and now everything is working fine. :-)

  • 0 in reply to Christopher Kurdian

    Hello Christopher,

    Thank you for the update on what solved the issue.

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
Reply Children
No Data
Unfiltered HTML