This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Help on configuring exchange server to use sophos utm9 as smarthost

hi,

my email is working fine. it can send and receive mails

i noticed that mails is not logged on sophos mail manager. so i search the sophos community for answers and found that i should use sophos utm9 as smarthost.

 

heres what i did:

i configure my exchange server to use the firewall local ip as smarthost

disable smtp nat

on email protection>smtp>routing

on email protection > smtp > host based relay i put the local ip of mail server and enable Scan Relayed (outgoing messages)

other settings is set to default.

 

after saving the config, i cant send and receive emails on this settings, so i revert it back to my working config.

heres what i saw on smtp log

2018:09:27-00:22:35 wdcsg310 exim-in[27590]: 2018-09-27 00:22:35 SMTP connection from (User) [185.228.80.58]:43911 closed by QUIT
2018:09:27-00:23:21 wdcsg310 exim-out[26644]: 2018-09-27 00:23:21 1g56Sz-0000tE-LW mta5.am0.yahoodns.net [98.137.159.28]:25 Connection timed out
2018:09:27-00:25:29 wdcsg310 exim-out[26644]: 2018-09-27 00:25:29 1g56Sz-0000tE-LW mta5.am0.yahoodns.net [98.136.102.54]:25 Connection timed out
2018:09:27-00:25:52 wdcsg310 exim-in[6061]: 2018-09-27 00:25:52 SMTP connection from [167.114.200.134]:39862 (TCP/IP connection count = 1)
2018:09:27-00:25:53 wdcsg310 exim-in[28048]: 2018-09-27 00:25:53 SMTP connection from ip134.ip-167-114-200.net (ADMIN) [167.114.200.134]:39862 closed by QUIT
2018:09:27-00:27:36 wdcsg310 exim-out[26644]: 2018-09-27 00:27:36 1g56Sz-0000tE-LW mta6.am0.yahoodns.net [98.137.159.27]:25 Connection timed out
2018:09:27-00:27:36 wdcsg310 exim-out[26642]: 2018-09-27 00:27:36 1g56Sz-0000tE-LW == testmail@yahoo.com R=dnslookup T=remote_smtp defer (110): Connection timed out
2018:09:27-00:27:36 wdcsg310 exim-out[24055]: 2018-09-27 00:27:36 End queue run: pid=24055
2018:09:27-00:28:00 wdcsg310 exim-out[28240]: 2018-09-27 00:28:00 Start queue run: pid=28240
2018:09:27-00:30:08 wdcsg310 exim-out[28243]: 2018-09-27 00:30:08 1g56Sz-0000tE-LV gmail-smtp-in.l.google.com [74.125.204.26]:25 Connection timed out
2018:09:27-00:32:15 wdcsg310 exim-out[28243]: 2018-09-27 00:32:15 1g56Sz-0000tE-LV alt1.gmail-smtp-in.l.google.com [64.233.179.26]:25 Connection timed out
2018:09:27-00:34:22 wdcsg310 exim-out[28243]: 2018-09-27 00:34:22 1g56Sz-0000tE-LV alt2.gmail-smtp-in.l.google.com [74.125.129.26]:25 Connection timed out
2018:09:27-00:36:29 wdcsg310 exim-out[28243]: 2018-09-27 00:36:29 1g56Sz-0000tE-LV alt3.gmail-smtp-in.l.google.com [173.194.219.26]:25 Connection timed out
2018:09:27-00:38:36 wdcsg310 exim-out[28243]: 2018-09-27 00:38:36 1g56Sz-0000tE-LV alt4.gmail-smtp-in.l.google.com [74.125.192.26]:25 Connection timed out
2018:09:27-00:38:36 wdcsg310 exim-out[28242]: 2018-09-27 00:38:36 1g56Sz-0000tE-LV == mytestmail@gmail.com R=dnslookup T=remote_smtp defer (110): Connection timed out
2018:09:27-00:38:41 wdcsg310 exim-in[6061]: 2018-09-27 00:38:41 SMTP connection from [167.114.200.134]:51598 (TCP/IP connection count = 1)
2018:09:27-00:38:42 wdcsg310 exim-in[29968]: 2018-09-27 00:38:42 SMTP connection from ip134.ip-167-114-200.net (ADMIN) [167.114.200.134]:51598 closed by QUIT
2018:09:27-00:40:44 wdcsg310 exim-out[29961]: 2018-09-27 00:40:44 1g56Sk-0000tE-BW mysolutions-ph.mail.protection.outlook.com [65.55.88.202]:25 Connection timed out
2018:09:27-00:40:44 wdcsg310 exim-out[29960]: 2018-09-27 00:40:44 1g56Sk-0000tE-BW == software@mysolutions.ph R=dnslookup T=remote_smtp defer (110): Connection timed out
2018:09:27-00:42:51 wdcsg310 exim-out[30229]: 2018-09-27 00:42:51 1g56sO-0001yi-9j mta6.am0.yahoodns.net [98.136.102.55]:25 Connection timed out
2018:09:27-00:43:17 wdcsg310 exim-in[6061]: 2018-09-27 00:43:17 SMTP connection from [121.142.169.185]:50219 (TCP/IP connection count = 1)

 

 

 

 



This thread was automatically locked due to age.
Parents Reply Children
  • To extend ManBearPig:

    You dont have to masquerade Emailserver, since it leave the email to utm.

    But, if  the exchange is the only who is allowed to send emails you can try Email Protection in Transparent mode. UTM will try both wans. Or you can create multipath rule only for smtp service

  • Hi ManBearBig,

    the link you provided is not working  https://www.sophos.com/en-us/support/knowledgebase/115322.aspx

    but upon checking we already have a multipath rule for smtp

    note: globe wan is where my MX ip located

     

    or this is more correct?

  • In first screenshoot, source must be any.

    Uncheck: Skip rule on interface error

  • Hi Ryan and welcome to the UTM Community!

    I just scanned the above and it looks like you've gotten good advice here.  You might also want to consult Basic Exchange setup with SMTP Proxy.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • hi all,

     

    after i change the multipath rule

     

    any > smtp > any > mx ip interface

     

    i still cant send and receive mails

    when sending it just stuck at smtp pool at mail manager

    with message delivery logs

    Message Delivery Log:
    2018-09-29 08:22:48 gmail-smtp-in.l.google.com [64.233.189.27]:25 Connection timed out
    2018-09-29 08:24:55 alt1.gmail-smtp-in.l.google.com [64.233.179.27]:25 Connection timed out
    2018-09-29 08:27:02 alt2.gmail-smtp-in.l.google.com [74.125.129.27]:25 Connection timed out
    2018-09-29 08:29:09 alt3.gmail-smtp-in.l.google.com [64.233.185.26]:25 Connection timed out
    2018-09-29 08:31:16 alt4.gmail-smtp-in.l.google.com [173.194.68.26]:25 Connection timed out
    2018-09-29 08:31:16 alewdainc@gmail.com R=dnslookup T=remote_smtp defer (110): Connection timed out

    any other ideas?
  • Then you should test both IP for outgoing port 25 it is blocked or not.

    Configure one IP one at a time and from your PC telnet alt4.gmail-smtp-in.l.google.com 25.

    So do just only one masquerade for one IP

    And tell as the results

    After that we can go further and help you with that

    Tomorrow I am at work and have plenty of time

  • __________________________________________________________________________________________________________________

  • Please show us pictures of the Edits of the relevant configurations, Ryan - SMTP Proxy, Multipath rules, etc.

    What information does doing #1 in Rulz give you?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi All,

    i can now send and receive mails using sophos utm9 as smarthost and currently monitoring the mail flow.

    what i did was add a SNAT rule

    i dont know if this is the best way to do it, but it works for me.

     

    At first, incoming mails was delayed for about 15 minutes, so i disable Greylisting and BATV at advance anti-spam features. please advise me if this is recommended.

  • Apparently you did something that function. But who other  sends emails from UTM, because you may compromise your IP and be blackilsted. If no one will be not allowed to send emails,I will suggest another method with multipath rule.

    1 Put email Protection in Transparent Mode,  In Realying Tab Allow only Exchange.

    2 Having 2 wans both as gateways will enable uplink balancing and multipath rule.  In multipath path rule just follow the instructions above for smtp