Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 38 subscribers
  • Views 2858 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SNAT rule ignored.

Fabio Marziani

I have the following system:

  1. Sophos XG Home SFVH (SFOS 19.5.2 MR-2-Build624) configured in MTA mode.
  2. One mail server
  3. Some E-mail Account hosted on Cloud Public Server

The problem is that SMTP out mail doesn’t engage Nat rule. See imagebelow
Sending and receiving mail via Mail server works fine.
Receiving Pop3 and Imap mail work fine

The snat rule is below

I suppose the solution is from : https://support.sophos.com/support/s/article/KB-000038662?language=en_US  at point
8. SNAT policy not applied for mails forwarded to mail server hosted on cloud

  • By default, the firewall policy is applied only for outbound mails.
  • The firewall policy does not get applied on inbound emails received from the internet and are expected to be delivered to mail servers hosted on the cloud like O365 and G-suite. So the SNAT policy is not applied to those emails.
  • To apply a firewall policy for all traffic, update disable_offline_relateto ‘no’ in the file /static/proxy/smtp/scanner.conf and restart the SMTPd service.
    • disable_offline_relate = no

The questions are:

Is my supposition correct?

How can be disable_offline_relate changed?
I don’t have found any suggestion in https://doc.sophos.com/nsg/sophos-firewall/18.5/help/en-us/webhelp/onlinehelp/CommandLineHelp/ConsoleAccess/index.html



This thread was automatically locked due to age.
Parents
  • 0

    I have found the file scanner.conf using console option 5 -->3 and changing the directory to / follow the path shown.

    The file scanner.conf doesnt contain the option disable_offline_relate; I have tryied to add.

    I have got the following result

    I suppose the file is used by SMTPd service but I was unable to find it and to stop.

    Any suggestion?

  • 0 in reply to Fabio Marziani

    Do you have a Scan SMTP firewall rule?

    If not, try to disable MTA mode (switch to Legacy) and switch back. This will generate a Scan SMTP Rule in your firewall rule set. Do not delete this rule and try again, if now you NAT will work. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Thank you for your response.

    I will check your suggestion in the next days; I don't want risk a long e-mail stop for mail entering and exiting my mailserver so I am waiting for offpeak days.

  • 0 in reply to LuCar Toni

    I have followed your suggstion without results.

    1) The firewall rule generated is

    2) the generated snat rule is

    The emails sent from DMZ exits witout problems as well the email sent from exchange edge.
    Nat Rule from DMZ

    Firewall rule email dmz

    SNAT Exchange EDge

    Firewall rule Exchange Edge

Reply
  • 0 in reply to LuCar Toni

    I have followed your suggstion without results.

    1) The firewall rule generated is

    2) the generated snat rule is

    The emails sent from DMZ exits witout problems as well the email sent from exchange edge.
    Nat Rule from DMZ

    Firewall rule email dmz

    SNAT Exchange EDge

    Firewall rule Exchange Edge

Children
Unfiltered HTML