This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Set Up UTM for SMTP Relay for Mail Server Behind Gateway

Hi,

I currently have an IP address set ("internet [mail services]" via additional addresses) on my UTM that's pointed to by an mx record at my ISP. Using SMTP/Routing I have my internal mail server set in the Host List and this has worked fine for incoming emails: they are delivered to the server after being scanned by the UTM. My mail server (Kerio Connect) is currently set to send using the MX records, so it seems this means outgoing emails are not scanned by the UTM. Normally, the "Received: from..." mail headers on the receiving end of emails sent by my mail server show the domain of my mail server (mail.mydomain.com),  I assume because I'm using the mxrecord to do the sending.

I would like to start using Data Protection, so I need to (I think) set my UTM as an SMTP relay for my mail server.

For testing I set a rule on my mail server to only use the relay when sending to my own outside (gmail) address.

When I set the relay to the internal IP address of the UTM, the mail forwards to gmail. The "Received: from..." in the recipient's source (or "Original" on gmail) shows the internal IP address of my UTM.

When I set the relay to the same domain name as my mx record (mail.mydomain.com which points to "internet [mail services]"), it shows the mail coming from the outward facing main Internet address of the utm (not the addresss pointed to by the mx record, but the internet address of the gateway).

My question(s) are:

Right now email traffic shows one IP address (the one corresponding to mail.mydomain.com) but it seems using the UTM as a relay would show another. Will this get us flagged or blocked because of spf or anything? 

Is there a way to tell the UTM to make smtp traffic from the mail server to go out to the internet FROM the mail service address on the UTM? SNAT is already set to translate any source smtp traffic to come from the "internet [mail services]", ssd I'm not sure why it's not coming from that address.

If I specify the outward facing address (mail.domain.com) on my mail server, then is the traffic going from my mail server out to the internet, back to my gateway (from the outside) then back to my mail server to eventually get sent? Am I risking some sort of dns-loop nightmare?

Thanks so much,

Jeff



This thread was automatically locked due to age.
Parents
  • Current config:   mail comes in on address A to UTM.   mail goes out on address B from mail server.

    Revised config:   

    • mail comes in and out on address A from UTM.   
    • If address B was reserved to mail server, it is no longer necessary.  Outbound traffic (e.g. web browsing or Windows updates) can use the masquerading address shared with everyone else.

    All you need to do is ensure that address A is in your SPF record, either explicitly, or with a +mx clause.  This should be an easy transition.

     

  • Sorry, I think I explained it badly (shame, considering how verbose I am when I write). Address B is for email in and out. Traffic coming in to address B is redirected to the mail server. traffic coming from the mail server on its way out is set to come from address B.

    But, when I choose the UTM as a relay, suddenly the mail comes from address A (well the headers on the receiving end say it does), even though I didn't specify this in SNAT.

    I suppose I could just add my main IP address to my spf record. I would prefer to just have everything come from mail.mydomain.com, rather than my gateway's WAN address (which actually doesn't have a dns record defined to point to it).

    Thanks,

    Jeff

  • You seem to be right about the outbound address.   I do not see any easy way to control which address is used.   

    What you can do:

    • Configure the desired host name in Email Protection... SMTP... Advanced
    • Load an SSL Certificate to match that name, to ensure that senders can verify and trust your identity certificate when submitting mail.
    • Work with your ISP to create a SWIP entry so that your reverse DNS name(s) matches your configured host name.
    • Add additional IP addresses to the forward DNS entry for your chosen host name.
    • Add additional IP addresses to your SPF record.

     

Reply
  • You seem to be right about the outbound address.   I do not see any easy way to control which address is used.   

    What you can do:

    • Configure the desired host name in Email Protection... SMTP... Advanced
    • Load an SSL Certificate to match that name, to ensure that senders can verify and trust your identity certificate when submitting mail.
    • Work with your ISP to create a SWIP entry so that your reverse DNS name(s) matches your configured host name.
    • Add additional IP addresses to the forward DNS entry for your chosen host name.
    • Add additional IP addresses to your SPF record.

     

Children
No Data