Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 16 replies
  • Subscribers 5 subscribers
  • Views 15789 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Cannot receive e-mails from certain domains

John Lynch

We have recently switched over to using the Sophos UTM 9 E-mail Protection and currently are unable to receive e-mails from a few domains including samsung and mail.ru. Our settings are such:

  • MX records pointing to our mail server.
  • Mail server points to internal address for the sophos box under send connector.

We are able to send e-mails to any domain (including samsung and mail.ru) but we cannot receive from them. The only time I could receive from them is when I had a DNAT rule to point to the exchange server (but this only worked because it then bypassed the e-mail protection in sophos altogether).

Have I configured something wrong?



This thread was automatically locked due to age.
  • 0 in reply to BAlfson

    BAlfson said:

    I recommend against using Transparent for anything other than debugging a problem as leaving it enabled means that an infected machine in your network that's a spambot could quickly get you blacklisted.

     

    Did you forget on purpose "Who can Relay in the Sytem" Bob?

    Host-based Relay

     

  • 0 in reply to BAlfson

    See if I understand the last part of this correctly:

    The SMTP Proxy has an "Allowed Relay Hosts" list.  If "authenticated SMTP" is disabled, the devices in the "Allowed Relay Hosts" list are the only ones allowed to send to exterral email addresses.   

    In Transparent Mode, UTM is not acting as a relay, so does this mean that the "Allowed Relay Hosts" list is not applicable and not enforced?

    Here are some model configurations based on the above:

    1) Both modes:  Block incoming SMTP from the outside to non-MX public IP addresses.

    DNAT From <Any> TO <Non-MX public IP address list> Port 25 Reconfigure destination as <Dead-End-Address> port 25

    2a) Standard SMTP Mode:   Block outbound email not routing through UTM SMTP Proxy

    Firewall From ANY to ANY port 25 Action=BLOCK

    2b) Transparent SMTP Mode:  Block outbound email form unauthorized internal senders

    Need a NAT rule to allow outbound from trusted senders, then a dead-end rule to block all other internal addresses / private IPs.  Not sure I know how to do this.

    Is 2B the core of the problem with Transparent SMTP?

  • 0 in reply to Ol Deda

    I haven't experimented with it in probably 10 years, but I think it allows all internal devices to relay off the Proxy.  Could you test that for us, Olsi?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    No for sure. You will get "Relay not Permited"  

    And with "autenticated users" (send connector from  exchange with authentication), only Exchange or Mail Program in that computer can send emails, not the computer or the virus in it.

    I use in this way not only home, but in my work with 200 devices behind

    My colegue plays all days with firewall rules. The only think it is not allowed to do is Mail Protection and our work IP is clean

  • 0 in reply to DouglasFoster

    In transparent mode, you can delete any rule in firewall and DNAT regarding SMTP.  In this way it  becomes Mail Protection, not just a proxy/scanner

    In my enviroment:

    Under Relay tab I dont have any host. I just have a user in exchange, that is configured in the send connectoe too. The Exchange has no dns configured   too because leaves the email to be handled by. UTM. I can even restart the exchange and not lose incoming mails. Once connected UTM wil deliver spooled emails to exchange, you cant do this in standart mode

    The IT nightmare is to get Blacklisted. I can play all the day with Smtp in firewall rules in this way

  • 0 in reply to DouglasFoster

    Douglas you have to skip the internal host from Transparent, after that it will be subject of firewall/dnat rules.

    Simple test:  make a rule in firewall to allow a particular host reach any in port 25

    Without Skip, telnet anymailserver 25. And see who will respond

    With Skip and firewall rule on telnet the mailserver again.

    This will clarify you a bit

Unfiltered HTML