SMTP soll auch über VPN erreichbar sein

Hi,

momentan läuft der intern smtpd auf der UTM auf allen interfaces. Das möchte ich gerne beschränken auf LAN und eben VPN, sprich Site2-Site VPN. Bei der Konfiguration der SMTP Interfaces kann ich aber das Site2-Site nicht sehen. Ist ja auch logisch, da kein Interface da ist. Beschränke ich SMTPD auf  "Internal LAN", dann kann der Remoteserver nicht zugreifen. Wie löse ich das Problem? Für mich ist in allererster Linie wichtig, dass der SMTP nicht mehr an den WAN Interfaces lauscht.



Tags
[edited by: H_Patel at 2:25 PM (GMT -7) on 14 Apr 2021]
  • Hi ,

    Thanks for reaching out to the Community! 

    You can limit the SMTP proxy's listening interface by adding a specific interface at Email Protection > SMTP > Global > Listen Interface.

    Listen Interfaces:

    By default, the SMTP proxy listens on all interfaces on ports 25, 465, and 587 for incoming email traffic.

    To listen only on a specific interface, select the option Custom Interfaces and add interfaces to the Allowed Interfaces box.

    Is this the option you were looking for? 

    Thanks,

     

     
    Harsh Patel (H_Patel)

    Community Support Engineer | Sophos Technical Support
    Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' button.



    .
    [edited by: H_Patel at 2:25 PM (GMT -7) on 14 Apr 2021]
  • Hi, not quite, in the custom interface selection it is only possible to select harware interfaces, but I need to make sure, that connections from the remote VPN site can access smtp. When only selecting "internal lan" VPN is cut off

  • Hallo,

    (Sorry, my German-speaking brain isn't creating thoughts at the moment. Frowning2)

    You're right that this cannot be done with an IPsec tunnel as the virtual IPsec NIC object was eliminated years ago.  You would need a RED tunnel or an SSL VPN site-to-site in order to do what you want.

    However, you could accomplish virtually 100% of what you want by using a blackhole DNAT for "Internet IPv4" just after a DNAT that permits SMTP traffic from your remote server's IP.  See #2 in Rulz (last updated 2021-02-16).

    MfG - Bob (Bitte auf Deutsch weiterhin.)

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA