Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 9 replies
  • Answers 1 answer
  • Subscribers 4 subscribers
  • Views 6220 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Set Up UTM for SMTP Relay for Mail Server Behind Gateway

JeffCooper

Hi,

I currently have an IP address set ("internet [mail services]" via additional addresses) on my UTM that's pointed to by an mx record at my ISP. Using SMTP/Routing I have my internal mail server set in the Host List and this has worked fine for incoming emails: they are delivered to the server after being scanned by the UTM. My mail server (Kerio Connect) is currently set to send using the MX records, so it seems this means outgoing emails are not scanned by the UTM. Normally, the "Received: from..." mail headers on the receiving end of emails sent by my mail server show the domain of my mail server (mail.mydomain.com),  I assume because I'm using the mxrecord to do the sending.

I would like to start using Data Protection, so I need to (I think) set my UTM as an SMTP relay for my mail server.

For testing I set a rule on my mail server to only use the relay when sending to my own outside (gmail) address.

When I set the relay to the internal IP address of the UTM, the mail forwards to gmail. The "Received: from..." in the recipient's source (or "Original" on gmail) shows the internal IP address of my UTM.

When I set the relay to the same domain name as my mx record (mail.mydomain.com which points to "internet [mail services]"), it shows the mail coming from the outward facing main Internet address of the utm (not the addresss pointed to by the mx record, but the internet address of the gateway).

My question(s) are:

Right now email traffic shows one IP address (the one corresponding to mail.mydomain.com) but it seems using the UTM as a relay would show another. Will this get us flagged or blocked because of spf or anything? 

Is there a way to tell the UTM to make smtp traffic from the mail server to go out to the internet FROM the mail service address on the UTM? SNAT is already set to translate any source smtp traffic to come from the "internet [mail services]", ssd I'm not sure why it's not coming from that address.

If I specify the outward facing address (mail.domain.com) on my mail server, then is the traffic going from my mail server out to the internet, back to my gateway (from the outside) then back to my mail server to eventually get sent? Am I risking some sort of dns-loop nightmare?

Thanks so much,

Jeff



This thread was automatically locked due to age.
Parents
  • 0

    Current config:   mail comes in on address A to UTM.   mail goes out on address B from mail server.

    Revised config:   

    • mail comes in and out on address A from UTM.   
    • If address B was reserved to mail server, it is no longer necessary.  Outbound traffic (e.g. web browsing or Windows updates) can use the masquerading address shared with everyone else.

    All you need to do is ensure that address A is in your SPF record, either explicitly, or with a +mx clause.  This should be an easy transition.

     

  • 0 in reply to DouglasFoster

    Sorry, I think I explained it badly (shame, considering how verbose I am when I write). Address B is for email in and out. Traffic coming in to address B is redirected to the mail server. traffic coming from the mail server on its way out is set to come from address B.

    But, when I choose the UTM as a relay, suddenly the mail comes from address A (well the headers on the receiving end say it does), even though I didn't specify this in SNAT.

    I suppose I could just add my main IP address to my spf record. I would prefer to just have everything come from mail.mydomain.com, rather than my gateway's WAN address (which actually doesn't have a dns record defined to point to it).

    Thanks,

    Jeff

  • 0 in reply to JeffCooper

    You seem to be right about the outbound address.   I do not see any easy way to control which address is used.   

    What you can do:

    • Configure the desired host name in Email Protection... SMTP... Advanced
    • Load an SSL Certificate to match that name, to ensure that senders can verify and trust your identity certificate when submitting mail.
    • Work with your ISP to create a SWIP entry so that your reverse DNS name(s) matches your configured host name.
    • Add additional IP addresses to the forward DNS entry for your chosen host name.
    • Add additional IP addresses to your SPF record.

     

  • 0 in reply to JeffCooper

    Hi Jeff,

    In addition to Doug's suggestions, look at Basic Exchange setup with SMTP Proxy which also applies to the Kerio.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Thanks for this. I already had SNAT like it is  on the link you provided, but is still has an originating IP of our WAN interface's main address, not our email services' "additional address." But I updated my SPF record and it seems to not trigger any spam warnings, which is what I was looking for.

    I do have a security concern I just noticed: when using the UTM as a relay the Local IP address of my mail server is now included in the headers. Unless I'm mistaken, I shouldn't be advertising this. I've turned off the relay for now until I can figure that out, and I'm not sure if it's related to what I just now did, or some other unrelated issue. I may start a new topic as it seems a separate enough from my original question.

    Thanks everyone for your help! 

    Jeff

     

  • 0 in reply to JeffCooper

    I don't think you need to worry about that, Jeff.  I've never seen an MTA that didn't record the origin of traffic it accepts.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0 in reply to JeffCooper

    I don't think you need to worry about that, Jeff.  I've never seen an MTA that didn't record the origin of traffic it accepts.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data
Unfiltered HTML