Email Protection - SMTP Log without entries when transparent mode disabled

Hey KereJehremathi.

So, what are you trying to achieve? I take it you want to put UTM in front of messages that are coming and going to an on-premisse mail server, is that it?

Transparent mode intercepts everything that traverses UTM on port 25 and re-route it to the proxy. It's a easy way to get things going, but I don't recommend it, so just keep it disabled. So I'm guessing you have a mail server behind UTM and that with Transparent Mode on every message that goes through your server is captured and filtered by the UTM on it's way out. For incoming messages you DNAT rule is delivering them directly to your mail server and not being processed by the UTM. Am I in the right path here?

So what you wanna do is:

1) Put your domain in Email Protection > SMTP > Routing > Domain, so UTM can accept messages destined to your domain.

2) Put your on-premisse mail server object in Email Protection > SMTP > Routing > Host List, so messages accepted by the UTM for your domain are delivered to you mail server after filtering. 

3) Put your Mail Server object in Email Protection > SMTP > Relaying > Allowed Hosts/Networks so UTM will accept messages from you mail server and relay them outside. 

4) Configure your mail server to use Sophos UTM as a smart host.

5) Disable your DNAT rule.

As long as your MX record points to the UTM's WAN address, which I believe it already does since you have a DNAT rule to your mail server, messages would arrive at the UTM, be accepted, filtered for spam and malware and delivered to your mail server. Outgoing messages would be delivered from you mail server to UTM, be filtered for spam and malware and delivered to the outside world. Is this what you need?

Regards.

Giovani

If you follow Giovani recommendations, you will see the logs
Transparent Mode helps you not to do something stupid with Firewall & DNAT rules and get blacklisted quickly
If you want to play with Firewall & DNAT Rules, you can skip those hosts it from transparent.

One more think DNAT Rule has no power,  when Transparent mode is ACTIVE

Hoi Kere and welcome to the UTM Community!

Basic Exchange setup with SMTP Proxy might be helpful, too.

Cheers - Bob
PS The reason you don't want to use Transparent except for debugging purposes is that any infected device could relay off the UTM and get your IP onto all of the blacklists - not fun!

Hi Giovani,

I changed the settings on the firewall and added the UTM as a smart host on the Exchange Server (which I completely forgot in my first test).

Incoming emails are fine, outgoing emails, however, don't receive their intended recipients.

Am I missing something within the UTM configuration?

Kind regards

Kere

Hi oldeda,

Thank you for the info.

Kind regards

Kere

Hi Bob,

I did follow the recommendations but had issues with the mails not being visible in the Mail Manager afterwards.

Adding the smarthost entry on the Exchange server did help to some extend - emails are being received correctly and are visible within the Mail Manager, sending emails isn't working, though.

The outgoing emails only showed up in the log after I reverted back to the old settings.

Any idea what I may have missed?

Kind regards

Kere

"The smart host setting in the SMTP Connector in Exchange Manager must point to the "Internal (Address)" of the Astaro. If you already had a different setting in Exchange, pointing at an external smart host that you must use, you must transfer that to the Astaro's 'Smarthost settings' at the bottom of the 'Advanced' tab."

You should not use Transparent SMTP Proxy except to debug.  You've now proven that Exchange was sending emails directly out instead of using the SMTP Proxy as a smart host.  I'll guess that the smart host setting that Exchange is using is still your old smart host or, if you didn't have a smart host setting before, that your smart host setting in Exchange isn't done correctly.  That setting should have nothing to do with whether Exchange can receive emails - I bet you're now seeing inbound emails in the SMTP log because you disabled the old DNAT that you had that forwarded emails directly to your server.

Cheers - Bob

Hi Bob,

I used the following settings on the UTM and Exchange Server:

UTM

Network Protection > NAT - Exchange DNAT rule disabled

SMTP > Global - Simple Mode

SMTP > Routing - Domain: my Domain, host list: my Exchange Server, verify recipients: with callout

SMTP > Malware - Standard Settings, dual scan

SMTP > AntiSpam - Standard Settings

SMTP > Data Protection - Standard Settings

SMTP > Exceptions - communication to VOIP server

SMTP > Relaying - allowed Hosts/Networks: my Exchange Server, scan relayed (outgoing) Messages: ticked

SMTP > Advanced - transparent mode: ticked, SMTP hostname: mail.mydomain; use smarthost: not ticked

Exchange Server

mail flow > send connectors > active connector > delivery > smarthost: internal IP of firewall

Prior to the change, the send connector was using the associated MX entry to send the emails.

Previously a different connector was used which had a smarthost defined.

It shouldn't have an impact as it's set to inactive and the parameters aren't longer valid either.

Am I missing another Setting with the Exchange configuration?

Kind regards

Kere

That all seems right, Kere.

Is the Host object for the Exchange server the same one on both the 'Routing' and 'Relaying' tabs?

The only other thing I can think of is a packet capture that sees what destination IP Exchange is sending to.  That should give a hint as to what the problem is.

Cheers - Bob