This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Cannot receive e-mails from certain domains

We have recently switched over to using the Sophos UTM 9 E-mail Protection and currently are unable to receive e-mails from a few domains including samsung and mail.ru. Our settings are such:

  • MX records pointing to our mail server.
  • Mail server points to internal address for the sophos box under send connector.

We are able to send e-mails to any domain (including samsung and mail.ru) but we cannot receive from them. The only time I could receive from them is when I had a DNAT rule to point to the exchange server (but this only worked because it then bypassed the e-mail protection in sophos altogether).

Have I configured something wrong?



This thread was automatically locked due to age.
Parents
  • Did you already try to look in the logfiles? Maybe some country blocking?

    You might want to start with looking in the email logfiles, if those mails are coming to your mail protection at all, then that's the place where you should find them. If not, then look in firewall logs.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • Yes I have looked in the log files. They're not reaching my mail server (unless I disable the sophos filtering completely) and nor are they in the sophos logs.

    I would have expected to see them in the sophos mail log and the fact I couldn't made me think that it mustn't be my end. However the second I disable sophos email protection the e-mails start coming through which would indicate it is sophos.

  • If UTM is in transparent mode you should see something in mail log. Even in standart you should see something.

    I recomend to use transparent mode if you send/receive emails only from mail server

  • A better description of how you use mail protection will be helpful

  • Originally I had the UTM in transparent mode and had a DNAT rule and that worked the same way it currently does. Most e-mails were coming through but those from samsung and mail.ru among others were not. I got the IP addresses involved and put in an exception within the transparent mode which then allowed e-mails from those domains through. However there are various different domains out there and I'm only learning about which ones aren't working sporadically over time. I'd rather put in a permanent solution than keep putting IP addresses in as exceptions.

    Currently everything from outside our network passes through the sophos box. Our mail server is on the protected side of the sophos box. We use the UTM to check for spam and viruses and such before it forwards the e-mail to our internal mail server.

  • I have configured my UTM in SMTP Standard Mode, and it has worked very well.   Others have said that Transparent SMTP should be avoided, without getting into the details of why.

    The message sender should be receiving a Non-Delivery Report (NDR) from his mail server, which would be helpful for understanding the problem.

    If the traffic is not getting to the mail server when UTM is in the path, then it is obvious that UTM is blocking the traffic, and my experience is that it is doing so because you have told it to do so.   UTM logs nearly everything unless you have told it not to do so.  Each firewall rule can selectively enable or disable logging, so you may need to increase logging detail there, although firewall rules do not normally apply to SMTP traffic.

    Are you using ANY Country Blocking?   Since you are having problems with Russia and Korea, country blocking seems like the likely cause.   Configuring Country Blocking Exceptions can be tricky.

    See the RULZ post for information on packet processing sequence, which should help you know which log file to search.

    See my post in the Management section for a way to parse firewall logs into a SQL database.   I have found that SMTP logs are hard to parse into a form that I consider useful, but I have made some recent progress.  Send a Private Message if this is of interest.

    Is UTM your firewall, or do you have a firewall in front of UTM?   If something is in front of UTM, the traffic may be blocked there.

    Similarly, do you have any clould-based email filtering in front of UTM?

     

     

  • Thank you very much. That has started helping the problem. I turned off country blocking for Russian Federation and that allowed the mail.ru e-mails to come through.

    However under my exceptions tab for country blocking I do have the following rule:

    Exceptions List:

    Region: All regions

    Countries: originally it said any or all, but I have changed this to manually list all of the countries instead hoping that would make a difference.

     For all request: going to these

    Host/Network: Any

    Using these Services: DNS, HTTP(S), SMTP, SMTP SSL and SMTP TLS

    I would expect the above rule to exempt country blocking from being used on e-mails. Is there another protocol I'm not including?

    UTM is our firewall and we do not have any cloud based mail filtering.

  • Here are the tricks with Country Blocking Exceptions:

    1) The country list

    • If the specified network object is internal, you MUST include a country list.
    • If the specified network object is external, the country list MUST BE EMPTY.

    2) The internal target

    When the specified network object is internal, it might be necessary to include both the destination address and the UTM interface address on which it arrives.   I have not tested this enough to be certain, but it is usually harmless to include both.

    Examples:

    Applying these principles to a Country Blocking Exception for mail.ru:

    • You can allow mail from ALL Russian sources by specifying a Country Blocking Exception like this:   
      ToAddress=<MX address>, Target Port=25, Country=Russia.

    • But to ONLY allow mail from the mail.ru email domain requires knowing their IP Addresses.  The Country Blocking Exception will look something like this:
      FromAddress=<mail.ru SPF address list>, Target Port=25, Country=NONE

    These exceptions only let the message through Country Blocking.  SMTP Filtering rules will still be evaluated after traffic is allowed past this layer.

Reply
  • Here are the tricks with Country Blocking Exceptions:

    1) The country list

    • If the specified network object is internal, you MUST include a country list.
    • If the specified network object is external, the country list MUST BE EMPTY.

    2) The internal target

    When the specified network object is internal, it might be necessary to include both the destination address and the UTM interface address on which it arrives.   I have not tested this enough to be certain, but it is usually harmless to include both.

    Examples:

    Applying these principles to a Country Blocking Exception for mail.ru:

    • You can allow mail from ALL Russian sources by specifying a Country Blocking Exception like this:   
      ToAddress=<MX address>, Target Port=25, Country=Russia.

    • But to ONLY allow mail from the mail.ru email domain requires knowing their IP Addresses.  The Country Blocking Exception will look something like this:
      FromAddress=<mail.ru SPF address list>, Target Port=25, Country=NONE

    These exceptions only let the message through Country Blocking.  SMTP Filtering rules will still be evaluated after traffic is allowed past this layer.

Children