This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM Home - Apple iCloud IMAP

Hello I have found different threads similar to this topic but with no specific answer.

I have Sophos UTM Home - ASG Software Firmware version: 9.713-19 Pattern version: 219285

and the problem that I have is that Icloud servers for outgoing email cannot be reached

I have added a web filter as follows

and an email rule in the firewall with the following services

for the firewall rule, I have added port 587 with no luck.

Any help would be appreciated. I really appreciate any help you can provide.

This thread was automatically locked due to age.
  • HI, can you post a line from the webfiltering log so we can see what's blocking the connection?

    Also have you tried allowing "SMTP" (source: Internal) in Application Control if it is enabled by any chance?

    Also I had a look at the service definitions and "SMTP SSL" has port 465 as the destination, but icloud requires port 587:

    SMTP information for the outgoing iCloud Mail server

    • Server name:
    • SSL Required: Yes
      If you see an error message when using SSL, try using TLS or STARTTLS instead.
    • Port: 587
    • SMTP Authentication Required: Yes
    • Username: Your full iCloud Mail email address (for example,, not johnappleseed)
    • Password: Use the app-specific password that you generated when you set up the incoming mail server.

    lEdit: I see your service definition says SMTPS, not SMTP so I assume you already created the service definition for that port 587.

  • Hello Alan, related to the SMTP I do have it disabled

    since I thought that could be another problem.
    As you mentioned I created the SMTPS which you are correct that is pointing to port 587 but no luck.I created SMTPS which is just TCP 587 and an alt version TCP/UDP

    I have added the rule as you mentioned

    found Icloud in the list, so I just give it a try but no luck.

    and as part of outlook I have this, the client is in Spanish but the settings are the same, in a side note on each attempt I switch from SSL to STARTTLS 

    from the webfiltering the only line I was able to find kinda related is the following, but nothing specific to the smtp or imap 

    2023:01:20-22:52:15 fw httpproxy[10323]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="CONNECT" srcip="XXX.XXX.XXX.XXX" dstip="" user="" group="" ad_domain="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0x280f700" url="">" referer="" error="Host not found" authtime="0" dnstime="1546" aptptime="0" cattime="0" avscantime="0" fullreqtime="2187" device="0" auth="0" ua="" exceptions="av,sandbox,fileextension"

    Thanks for the help!

  • I wish I could help you out more. I performed an online ping test of and there appears to be no reply. Even a traceroute stalls. I performed a ping from the UTM and various sites on the internet. Sometimes it replies, most of the time it doesn't.

  • Oh man! you are totally right!, I have tried on site 24x7 and some other tools and I get the same, no response..

    so I wonder if the settings are correct or if there is any other servers, I have checked again from Icloud and seems the information you provided and what I use are correct

    So I wonder if that server is just reachable from specific apple service, but there is no information that states anything different to use :/

    Thanks for the help Alan, I will research more or reach apple team just to check why their server is not reachable. Will let you know what I find

  • I'm not familiar with SMTP or iCloud so I really don't know what else to think. Good luck, I hope they get it running. 

    There's some SMTP tests online that might help?

    SMTP test-DNS checker

  • I will share that with them for sure, but this is odd!, thanks again Alan!

  • Well... Weird enough. I did reached to apple through my Iphone since the problem was the same from anywhere inside the network. While asking them what is the reason for not be able to send emails from outlook, they asked me to run a test, I did and it worked. For anyone else and just to be clear, I did all the steps I listed here and before reaching out to apple I did not changed anything so I will try to do a reverse, to try to isolate if it was related to the changes I did or if it was just magic that made it work.

    Thanks Alan for the time and suggestions, now it's working! 

  • Good. glad it worked, but the thing is that 

    resolves into many different IP addresses, at least 6, not just one, so maybe some are up and some are down and that's why the problem is random since pinging it doesn't always choose the same IP every time. Also, you created a service definition using "UDP/TCP". That might cause issues too. It should be either UDP or TCP. I had problems one time when I used UDP/TCP in one.

    Also, from the UTM administration guide, it might be better to use DNS group definitions instead of DNS host. 

    • DNS host: A DNS hostname, dynamically resolved by the system to produce an IP address. DNS hosts are useful when working with dynamic IP endpoints. The system will re-resolve these definitions periodically according to the TTL (Time To Live) values and update the definition with the new IP address (if any). Provide the following information:

      • Hostname: The hostname you want to resolve.
    • DNS group: Similar to DNS host, but can cope with multiple RRs (Resource Records) in DNS for a single hostname. It is useful for defining firewall rules and exceptions in transparent proxies.
  • Good. glad it worked, but the thing is that 

    resolves into many different IP addresses, at least 6, not just one, so maybe some are up and some are down and that's why the problem is random since pinging it doesn't always choose the same IP every time. Also, you created a service definition using "UDP/TCP". That might cause issues too. It should be either UDP or TCP. I had problems one time when I used UDP/TCP in one.

    Also, from the UTM administration guide, it might be better to use DNS group definitions instead of DNS host. 

    • DNS host: A DNS hostname, dynamically resolved by the system to produce an IP address. DNS hosts are useful when working with dynamic IP endpoints. The system will re-resolve these definitions periodically according to the TTL (Time To Live) values and update the definition with the new IP address (if any). Provide the following information:

      • Hostname: The hostname you want to resolve.
    • DNS group: Similar to DNS host, but can cope with multiple RRs (Resource Records) in DNS for a single hostname. It is useful for defining firewall rules and exceptions in transparent proxies.
  • Definitely!, those TCP/UDP were crazy attempts to identify alternatives to make it work, as I mentioned I am cleaning up back to enable disable, remove additional stuff I did in order to have it working. Maybe as you stated those things created part of the issue.

    One question I have is in regards of the DNS group I did not created DNS Host or group, but from your recommendations, would that help to add it? 

    Thanks for the suggestions and help!

  • To be honest I don't know if creating a host group would really help because a user accessing would be doing DNS lookup for the IP of it and it should be resolvable by any DNS forwarder. I think and I might be wrong here, is that if the UTM is used as a recursive DNS resolver, it would keep the IP address of updated at all times if the IP address changes.

    I also don't think creating a firewall rule to allow outgoing SMTP service would help since the UTM allow all outgoing connections in the very last rule unless there is a rule above that would BLOCK it.

    If the last firewall rule is Source: Internal Network--->Service: ANY---->Destination: ANY, it should just allow the traffic.

    And I think that adding the SMTP service (port) to the allowed target services would be necessary only if the UTM web filtering proxy was in standard proxy mode and not transparent, but the UTM manual says otherwise. 

    • DNS group: Similar to DNS host, but can cope with multiple RRs (Resource Records) in DNS for a single hostname. It is useful for defining firewall rules and exceptions in transparent proxies

    Someone here might know more about it, but it definitely seems that the problem is that some of the IP addresses of the iCloud mail servers are not responding to pings so it's hard to tell if they are available.

  • Here's what's going on, you can see for yourself.

    I performed an nslookup for, and the first IP address it resoved to responded to a ping, then a few seconds later it tried to ping a different IP address and was not reponding.

    The is definitely not a problem with any of the firewall settings on the UTM.

  • That definitely makes a lot of sense, I did not try that since the beginning but it makes a lot of sense!, thanks for sharing!