Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 8 subscribers
  • Views 1921 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Dringend: Sophos XG intercepts SMTP

wolfman1

Hallo,

ich habe eine XG im MTA Mode.

Die "Auto added firewall policy for MTA" ist default und wurde nicht angefasst.

Unter Administration --> Device Access ist das SMTP Relay auf internal sowie WAN an, da anders irgendwie der Sophos MTA keine Mails auf Port 25 akzeptiert hatte.

Nun habe ich folgendes Problem

Server in Site1 versucht auf einen Mailserver in Site2 eine Mail auf TCP 25 einzuliefern

Die Sophos fängt leider den Traffic ab und meldet sich selbst als MTA, statt dass sich der Mailserver in Site2 meldet.

Was mache ich falsch?
Vielen Dank
VG



This thread was automatically locked due to age.
Parents
  • 0

    Problem gelöst:
    Es war ganz einfach, die "Auto added firewall policy for MTA" Policy musste im Regelwerk nach unten verschoben werden.

    Wir haben regeln, welche z.B. SMTP von Site1 nach Site2 erlauben.

    Die "Auto added firewall policy for MTA" Regel war über diesen Regeln.

    Durch die Regel wurde der Traffic auf die Sophos geroutet und nicht auf die Mailserver in Site2.

    Wir hatten hierzu einen Case mit Sophos offen

    "

    Please find the summary of our session:

    • Connected over the remote session.
    • As per the information provided by you, the firewall is working in MTA mode and on top there any to any rule is created with port 25 and 587.
    • In the events when you try to connect to the exchange server the connection intercepted by firewall.
    • You showed me that if connected by ssl VPN and if we try to telnet the server x.x.x.x on port 25 the connection was intercepted by firwall, traffic reaches to firewall instead going to the server.
    • As the MTA rule with any source zone to any destination zone is auto created it was taking the priority.
    • We moved the VPN to LAN rule above the MTA firewall rule and checked, telnet on port 25 was now going to the server instead of the firewall.
    • Checked for site to site VPN and for site to site VPN as well now the traffic is going to the server instead of the firewall.
    • We just required to move the MTA rule below the VPN rules."

    Sophos schreibt zwar:
    Configure email protection in MTA mode - Sophos Firewall
    "In MTA mode, Sophos Firewall routes emails between your mail servers and the internet. When you turn on MTA mode, a firewall rule is created automatically to allow SMTP/SMTPS traffic. We recommend that you keep this rule at the top of the firewall rule table."
    Jedoch führte das zu o.g. Problemen.

Reply
  • 0

    Problem gelöst:
    Es war ganz einfach, die "Auto added firewall policy for MTA" Policy musste im Regelwerk nach unten verschoben werden.

    Wir haben regeln, welche z.B. SMTP von Site1 nach Site2 erlauben.

    Die "Auto added firewall policy for MTA" Regel war über diesen Regeln.

    Durch die Regel wurde der Traffic auf die Sophos geroutet und nicht auf die Mailserver in Site2.

    Wir hatten hierzu einen Case mit Sophos offen

    "

    Please find the summary of our session:

    • Connected over the remote session.
    • As per the information provided by you, the firewall is working in MTA mode and on top there any to any rule is created with port 25 and 587.
    • In the events when you try to connect to the exchange server the connection intercepted by firewall.
    • You showed me that if connected by ssl VPN and if we try to telnet the server x.x.x.x on port 25 the connection was intercepted by firwall, traffic reaches to firewall instead going to the server.
    • As the MTA rule with any source zone to any destination zone is auto created it was taking the priority.
    • We moved the VPN to LAN rule above the MTA firewall rule and checked, telnet on port 25 was now going to the server instead of the firewall.
    • Checked for site to site VPN and for site to site VPN as well now the traffic is going to the server instead of the firewall.
    • We just required to move the MTA rule below the VPN rules."

    Sophos schreibt zwar:
    Configure email protection in MTA mode - Sophos Firewall
    "In MTA mode, Sophos Firewall routes emails between your mail servers and the internet. When you turn on MTA mode, a firewall rule is created automatically to allow SMTP/SMTPS traffic. We recommend that you keep this rule at the top of the firewall rule table."
    Jedoch führte das zu o.g. Problemen.

Children
No Data
Unfiltered HTML