This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firewall and DNAT rule for SMTP with SMTP proxy

Apologies for the very basic question but it's one of those things that are hard to Google: I plan to use a Sophos UTM as a smart host / spam filter for our new Exchange 2019 Server (i.e. turn on SMTP proxy and add the Exchange server to static hosts and Host-based relay).

If I do this, I'm guessing the UTM creates the necessary rules, meaning I do not create a DNAT rule to send incoming SMTP traffic to the Exchange and a firewall rule to allow the Exchange to send SMTP to "Any", correct?

(Our setup if relevant: The Exchange resides in our LAN, the UTM has a leg in the LAN and a DMZ which has a DSL router on the WAN side).

This thread was automatically locked due to age.
  • You have the right idea.  In Standard Mode, the SMTP proxy relays traffic rather than translating it.   Your MX record points to an IP address of the UTM.   If UTM accepts the message, it relays the message to the address configured in your SMTP Profile definition.   No NAT is needed.  The details of this process will vary a little bit depending whether UTM is taking over the Exchange Server's Internet address or using a different one.

    Because UTM Firewall Rules apply as the filter of LAST resort, any traffic handled by the SMTP proxy will bypass the Firewall Rules.

    For outbound traffic, if you configure Exchange to Forward to UTM, then a similar process occurs - Exchange sends to UTM unconditionally, UTM does an  MX lookup and uses its Internet address to connect to the remote server, so again no NAT rule is used.   

    If you want Exchange to bypass UTM for outbound traffic, you will two Internet addresses, an SNAT or Masquerading rule for the Exchange server, and a Firewall rule to allow the Exchange server to send to port TCP/25.

    TCP/25 should be blocked with Firewall Rules by default, to prevent unauthorized internal machines from transmitting email.  Devices and applicatons should awlays submit mail through an authorized mail server.   This includes UTM - its Notification function should be configured to log onto your mail server to send email notifications.


  • Thank you for the detailed explanation, hopefully this will help others in the future.

Reply Children