This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Help on configuring exchange server to use sophos utm9 as smarthost

hi,

my email is working fine. it can send and receive mails

i noticed that mails is not logged on sophos mail manager. so i search the sophos community for answers and found that i should use sophos utm9 as smarthost.

 

heres what i did:

i configure my exchange server to use the firewall local ip as smarthost

disable smtp nat

on email protection>smtp>routing

on email protection > smtp > host based relay i put the local ip of mail server and enable Scan Relayed (outgoing messages)

other settings is set to default.

 

after saving the config, i cant send and receive emails on this settings, so i revert it back to my working config.

heres what i saw on smtp log

2018:09:27-00:22:35 wdcsg310 exim-in[27590]: 2018-09-27 00:22:35 SMTP connection from (User) [185.228.80.58]:43911 closed by QUIT
2018:09:27-00:23:21 wdcsg310 exim-out[26644]: 2018-09-27 00:23:21 1g56Sz-0000tE-LW mta5.am0.yahoodns.net [98.137.159.28]:25 Connection timed out
2018:09:27-00:25:29 wdcsg310 exim-out[26644]: 2018-09-27 00:25:29 1g56Sz-0000tE-LW mta5.am0.yahoodns.net [98.136.102.54]:25 Connection timed out
2018:09:27-00:25:52 wdcsg310 exim-in[6061]: 2018-09-27 00:25:52 SMTP connection from [167.114.200.134]:39862 (TCP/IP connection count = 1)
2018:09:27-00:25:53 wdcsg310 exim-in[28048]: 2018-09-27 00:25:53 SMTP connection from ip134.ip-167-114-200.net (ADMIN) [167.114.200.134]:39862 closed by QUIT
2018:09:27-00:27:36 wdcsg310 exim-out[26644]: 2018-09-27 00:27:36 1g56Sz-0000tE-LW mta6.am0.yahoodns.net [98.137.159.27]:25 Connection timed out
2018:09:27-00:27:36 wdcsg310 exim-out[26642]: 2018-09-27 00:27:36 1g56Sz-0000tE-LW == testmail@yahoo.com R=dnslookup T=remote_smtp defer (110): Connection timed out
2018:09:27-00:27:36 wdcsg310 exim-out[24055]: 2018-09-27 00:27:36 End queue run: pid=24055
2018:09:27-00:28:00 wdcsg310 exim-out[28240]: 2018-09-27 00:28:00 Start queue run: pid=28240
2018:09:27-00:30:08 wdcsg310 exim-out[28243]: 2018-09-27 00:30:08 1g56Sz-0000tE-LV gmail-smtp-in.l.google.com [74.125.204.26]:25 Connection timed out
2018:09:27-00:32:15 wdcsg310 exim-out[28243]: 2018-09-27 00:32:15 1g56Sz-0000tE-LV alt1.gmail-smtp-in.l.google.com [64.233.179.26]:25 Connection timed out
2018:09:27-00:34:22 wdcsg310 exim-out[28243]: 2018-09-27 00:34:22 1g56Sz-0000tE-LV alt2.gmail-smtp-in.l.google.com [74.125.129.26]:25 Connection timed out
2018:09:27-00:36:29 wdcsg310 exim-out[28243]: 2018-09-27 00:36:29 1g56Sz-0000tE-LV alt3.gmail-smtp-in.l.google.com [173.194.219.26]:25 Connection timed out
2018:09:27-00:38:36 wdcsg310 exim-out[28243]: 2018-09-27 00:38:36 1g56Sz-0000tE-LV alt4.gmail-smtp-in.l.google.com [74.125.192.26]:25 Connection timed out
2018:09:27-00:38:36 wdcsg310 exim-out[28242]: 2018-09-27 00:38:36 1g56Sz-0000tE-LV == mytestmail@gmail.com R=dnslookup T=remote_smtp defer (110): Connection timed out
2018:09:27-00:38:41 wdcsg310 exim-in[6061]: 2018-09-27 00:38:41 SMTP connection from [167.114.200.134]:51598 (TCP/IP connection count = 1)
2018:09:27-00:38:42 wdcsg310 exim-in[29968]: 2018-09-27 00:38:42 SMTP connection from ip134.ip-167-114-200.net (ADMIN) [167.114.200.134]:51598 closed by QUIT
2018:09:27-00:40:44 wdcsg310 exim-out[29961]: 2018-09-27 00:40:44 1g56Sk-0000tE-BW mysolutions-ph.mail.protection.outlook.com [65.55.88.202]:25 Connection timed out
2018:09:27-00:40:44 wdcsg310 exim-out[29960]: 2018-09-27 00:40:44 1g56Sk-0000tE-BW == software@mysolutions.ph R=dnslookup T=remote_smtp defer (110): Connection timed out
2018:09:27-00:42:51 wdcsg310 exim-out[30229]: 2018-09-27 00:42:51 1g56sO-0001yi-9j mta6.am0.yahoodns.net [98.136.102.55]:25 Connection timed out
2018:09:27-00:43:17 wdcsg310 exim-in[6061]: 2018-09-27 00:43:17 SMTP connection from [121.142.169.185]:50219 (TCP/IP connection count = 1)

 

 

 

 



This thread was automatically locked due to age.
Parents
  • Do you have multiple WAN interfaces?

    Seems like UTM cannot reach the Destination Mail server via Port 25. 

    __________________________________________________________________________________________________________________

  • yes, we have 2 isp at eth6 and eth7

    eth7 is where my public ip and mx connected

    i dont know if this is significant but i  have a masquerading rule

    email server > wan on eth7 > email mx ip

  • To extend ManBearPig:

    You dont have to masquerade Emailserver, since it leave the email to utm.

    But, if  the exchange is the only who is allowed to send emails you can try Email Protection in Transparent mode. UTM will try both wans. Or you can create multipath rule only for smtp service

  • Hi ManBearBig,

    the link you provided is not working  https://www.sophos.com/en-us/support/knowledgebase/115322.aspx

    but upon checking we already have a multipath rule for smtp

    note: globe wan is where my MX ip located

     

    or this is more correct?

  • In first screenshoot, source must be any.

    Uncheck: Skip rule on interface error

  • Hi Ryan and welcome to the UTM Community!

    I just scanned the above and it looks like you've gotten good advice here.  You might also want to consult Basic Exchange setup with SMTP Proxy.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • hi all,

     

    after i change the multipath rule

     

    any > smtp > any > mx ip interface

     

    i still cant send and receive mails

    when sending it just stuck at smtp pool at mail manager

    with message delivery logs

    Message Delivery Log:
    2018-09-29 08:22:48 gmail-smtp-in.l.google.com [64.233.189.27]:25 Connection timed out
    2018-09-29 08:24:55 alt1.gmail-smtp-in.l.google.com [64.233.179.27]:25 Connection timed out
    2018-09-29 08:27:02 alt2.gmail-smtp-in.l.google.com [74.125.129.27]:25 Connection timed out
    2018-09-29 08:29:09 alt3.gmail-smtp-in.l.google.com [64.233.185.26]:25 Connection timed out
    2018-09-29 08:31:16 alt4.gmail-smtp-in.l.google.com [173.194.68.26]:25 Connection timed out
    2018-09-29 08:31:16 alewdainc@gmail.com R=dnslookup T=remote_smtp defer (110): Connection timed out

    any other ideas?
  • Then you should test both IP for outgoing port 25 it is blocked or not.

    Configure one IP one at a time and from your PC telnet alt4.gmail-smtp-in.l.google.com 25.

    So do just only one masquerade for one IP

    And tell as the results

    After that we can go further and help you with that

    Tomorrow I am at work and have plenty of time

  • __________________________________________________________________________________________________________________

  • Please show us pictures of the Edits of the relevant configurations, Ryan - SMTP Proxy, Multipath rules, etc.

    What information does doing #1 in Rulz give you?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi All,

    i can now send and receive mails using sophos utm9 as smarthost and currently monitoring the mail flow.

    what i did was add a SNAT rule

    i dont know if this is the best way to do it, but it works for me.

     

    At first, incoming mails was delayed for about 15 minutes, so i disable Greylisting and BATV at advance anti-spam features. please advise me if this is recommended.

  • Apparently you did something that function. But who other  sends emails from UTM, because you may compromise your IP and be blackilsted. If no one will be not allowed to send emails,I will suggest another method with multipath rule.

    1 Put email Protection in Transparent Mode,  In Realying Tab Allow only Exchange.

    2 Having 2 wans both as gateways will enable uplink balancing and multipath rule.  In multipath path rule just follow the instructions above for smtp

Reply
  • Apparently you did something that function. But who other  sends emails from UTM, because you may compromise your IP and be blackilsted. If no one will be not allowed to send emails,I will suggest another method with multipath rule.

    1 Put email Protection in Transparent Mode,  In Realying Tab Allow only Exchange.

    2 Having 2 wans both as gateways will enable uplink balancing and multipath rule.  In multipath path rule just follow the instructions above for smtp

Children
  • Hi oldeda,

    1 Put email Protection in Transparent Mode,  In Realying Tab Allow only Exchange.

    is this what you are saying?

     

    off topic:

    upon monitoring the utm mail manager, i noticed that some of the emails were not delivered to my inbox, but on mail manager it says delivered.

    on delivery log

    2018-10-05 15:07:24 rquiocho@wdainc.com.ph: static_smtp transport succeeded to (local ip of email server)


    On Exchange log

    Failed
    10/5/2018 3:07 PM email server
    The message couldn't be delivered.

    250 2.6.0 <cb7d354c-06c2-4d55-a438-a22bce8e6ecc@community.sophos.com> Queued mail for delivery

  • How you configured the Address Verification on Email Protection. Better to leave with callout.

    And check the junk to be sure

  • hi oldeda,

    yes, with call out. i dont think this has something to do with exchange server settings, cause i can receive those mails if i disable the smarthost feature.

    nothing on my junk and on mail manager smtp pool.on smtp logs it just says delivered, but nothing appears on my inbox.

    i can send and receive mails from yahoo,gmail,hotmail and some other domains.

  • Do you have a receive connector to in exchange?

    I think this has to be done from the scrach

    To manny problems here

    One more think the emails are not going to exchange or out?

  • yes i have receive connectors.

    email server works flawlessly when im not using utm smarthost

    but if i add the utm as smarthost, some external mails is not delivered to my outlook inbox

    for example the email notification of sophos community did not reach my outlook inbox

    but on UTM Mail Manager > smtp logs - i can see that the mail was delivered.

    for testing purposes i even add the domain of the sender to exception list to see if it is a filtering issue.

     

    i can send and receive mails to yahoo mail, gmail and hotmail when im using a smarthost

  • You dont need a receive connector. Try it

  • Oldeda and I differ on whether one should use Transparent mode.  I'm curious though.  Look at #2 in Rulz.  If you still have an active DNAT rule, it should bypass the SMTP Proxy for inbound emails.  If you see the inbound traffic in the logs or reporting, then that would mean that the traffic is being captured by Transparent.  I bet it's not though and that you will want to disable the DNAT.

    Cheers - Bob
    PS You will also want to review #5 in Rulz.

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA