This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Users unable to send personal emails on wifi. Disabling Transparent port 465 and 587 allows some, but not all users to send emails.

Good Morning Everyone,

Almost a year ago my company ended up moving to a new building.  In that process we ended up purchasing a second UTM9 firewall.  When the migration to the new building was completed, we ended up using the new firewall and still have the old firewall as a spare. 

During the transition time we ended up losing our IT manager and hired on a new one.  The Old manager did the configuration of the old firewall and the new manager did the configuration for the new one.  I have a PDF of the old firewall configuration if that might help.

Once we got settled in a large number of users came to me telling me they couldn't send email from their personal emails anymore and would get an error message "The connection to the outgoing server 'smtp.xxxxxxx.com' failed."  At the time the new manager wouldn't let me troubleshoot, but now I am given more leeway to look into this.

So I'm following rule 1, and checking the logs as i replicate this issue.  In the SMTP log I see this below

2020:04:01-10:47:57 206 exim-in[21713]: 2020-04-01 10:47:57 SMTP connection from ([10.0.50.43]) [10.0.50.43]:57649 lost
2020:04:01-10:48:06 206 exim-in[6472]: 2020-04-01 10:48:06 SMTP connection from [10.0.50.43]:57650 (TCP/IP connection count = 1)
 
I don't see anything in the firewall log, or any of the other logs mentioned in Rule 1.  The email I am trying to send does not show up in the mail manager either which I guess is to be expected since it can't even connect to the mail server.
 
Interestingly if I disable transparent mode port 465 my email will go through.  However if I disable the ports for 587 and 25 domain mail stops making it to the firewall for some reason.
 
When I examine the configuration of the old firewall, I don't see anything really standing out as to what would cause this.
 
I am not certain that this is necessarily the firewall's problem, but I know disabling the Transparent Port on 465 allows my email on wifi to connect so this may at least point me to the problem.
 
One last thing, if a user configures their personal email on the Outlook phone app, their email works fine.  But some users are stubborn and would rather just turn their wifi off and I would REALLY like to know why this is.
 
Thank you for your help!
 
Regards,
 
Tyler
 
 
 


This thread was automatically locked due to age.
Parents
  • Hello Tyler,

    first of all: do you have an on premise mailserver?

    If not, what kind of mailserver / mailservice are you connecting to?

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • Hi!  I knew I forgot something.

     

    We have an on prem Exchange 2010 server.

  • Ok, don't mind. We try to help you here.

    So your goal is to use the Sophos SMTP-Proxy as a Mailgateway?

    1. Your internal clients have to reach the internal mailserver directly, without using transparent proxies. If they are in a different network segment, you have to implement proper routing and firewall rules between these zones.

    2. Other (internal) clients that want to use different mailserver(s) outside your network (e.g. Gmail) may use transparent proxy ports but you don't generally need to enforce this, despite having security reasons.

    Technically you could just open the ports and do a NAT to the internet uplink, that's it. But this is only needed, if using OTHER mailservers than your own internal one.

    ---

    Do you have a fixed IP address on your WAN side? MX-record is setup properly? Internal DNS is setup?

    Then:

    3. Setup SMTP-route to internal Exchangeserver under "Email-Protection", if possible use internal DNS-names here (FQDN), but IPs do as well, they are just not so easy to maintain.

    4. Your Exchangeserver needs a SEND connector to use the Sophos as its smarthost, either using the FQDN in an internal DNS or , again, just the IP Address of the internal interface of the Sophos.

    The Sophos itself is not a mailserver, it acts just like an smtp-proxy.

    5. Of course the Exchangeserver needs a Receive Connector as well, to take over the mails from the internal sophos interface. These two should be in he same LAN segment.

    If you like, post some screenshots of your email protection setup in the UTM.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

Reply
  • Ok, don't mind. We try to help you here.

    So your goal is to use the Sophos SMTP-Proxy as a Mailgateway?

    1. Your internal clients have to reach the internal mailserver directly, without using transparent proxies. If they are in a different network segment, you have to implement proper routing and firewall rules between these zones.

    2. Other (internal) clients that want to use different mailserver(s) outside your network (e.g. Gmail) may use transparent proxy ports but you don't generally need to enforce this, despite having security reasons.

    Technically you could just open the ports and do a NAT to the internet uplink, that's it. But this is only needed, if using OTHER mailservers than your own internal one.

    ---

    Do you have a fixed IP address on your WAN side? MX-record is setup properly? Internal DNS is setup?

    Then:

    3. Setup SMTP-route to internal Exchangeserver under "Email-Protection", if possible use internal DNS-names here (FQDN), but IPs do as well, they are just not so easy to maintain.

    4. Your Exchangeserver needs a SEND connector to use the Sophos as its smarthost, either using the FQDN in an internal DNS or , again, just the IP Address of the internal interface of the Sophos.

    The Sophos itself is not a mailserver, it acts just like an smtp-proxy.

    5. Of course the Exchangeserver needs a Receive Connector as well, to take over the mails from the internal sophos interface. These two should be in he same LAN segment.

    If you like, post some screenshots of your email protection setup in the UTM.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

Children
  • So for our Company email and exchange server everything works fine with one exception.

     

    If I uncheck Port 25, all outgoing mail stops making it to the UTM.  I think this had something to do with our Send Connectors being configured wrong after the move, but that has since been fixed and have tested it since.

     

    The issue is when someone tries to send email from their personal email the device tells them it can't find the mail server associated with that email account, whether it be SMTP or POP3 or whatever.

     

    So our configuration is set up correctly for our mail, but external mail doesn't seem to be working.  I will post some configuration's for the UTM.

     

    When I look at the old configuration there isn't any NAT's to make these external emails work, so I'm not sure how they worked at all in the first place. 

     

    I'm still very new to this, and just don't know where to look right now to figure out why this is happening.

     

    Thank you again for your help.

  • Sorry to say, your Mail setup for your Exchange Server is not correct!

    It seems to work, but you are doing odd things here:

    1. Under "Relaying/Host based relay" there should be ONLY one entry for "Allowed hosts/Networks": your internal mailserver, which is the Exchange-Server. Since you already have created an object "Exchange Server", use this this instead of IP.

    2. Remove all other IPs listed there in your list of "Allowed hosts/networks" for "Host based relay". Hosts from these internal nets either have to use the internal mailer for sending mails, so they should use the Exchange-Server OR if you allow the use of an external mailservice (which I would only allow for certain net-segments like the GuestWIFI) then they should NOT use the "transparent proxy ports" because this will force them to your mail proxy, which is configured for your mail domains and will use the smarthost of your ISP, as I can see. I would not use transparent ports for mail traffic at all. If some device can't send mail, then debugging is much easier when you are not proxying transparently on the gateway.

    3. Setup firewall rules for the mail traffic needed for the devices using external mailservices and make sure there is a MASQ rule in place for that LAN segment. Proper DNS forwarding to resolve the external DNS name of the several mailservices is needed here, of course.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • Thank you very much for your explanation.  I will reconfigure this once my manager signs on. 

     

    One question however: With regards to "Transparent Proxy Ports" this is for SMTP ports but I have some users on IMAP and POP3 emails as well.  These devices are getting the same sort of error message, but I don't have transparent proxies set up for them?  Could this just be a DNS issue?

  • Hello Tyler,

    if, like you said, the error message at those clients is something like "smtp.xxx.com not found", this is almost certainly a DNS problem.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • imap and POP are both protocols for incoming mail whereas smtp is outgoing, that may be a difference.

    That being said, I think by modifying your setup as discussed above you should be able to achieve that your wireless clients can send through their personal email servers however you should be really cautious in allowing this type of email traffic since if you're unlucky one of these devices might get your public IP-address on a blacklist and then your (outgoing) company mail will also suffer from this.

    In our network we don't allow any outgoing smtp traffic to private mailservers at all. If our employees feel the need to send private emails, then they can do so using their mobile internet connection. You really don't want to end up on a blacklist due to devices that are not being managed by your company.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • I totally agree with apijnappels!

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.