Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 9 replies
  • Subscribers 3 subscribers
  • Views 2669 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

email protection (incoming) for mail server in DMZ (DNAT) with own public IP

relume

UTM 9.702

Hello

I apologize if this email protection related setup question has been answered already elsewhere - I just did not found a answer that seems to suites our setup.

We have an email server behind the UTM in a privat DMZ network and it has its own public IP address. So we do DNAT/SNAT with manual Firewall rules. We want to be processed incoming (only incoming) email by the UTM email protection functionality. We hade configured the incoming manual firewall rules like:

- any to mail-DMZ with: imap, imap SSL, smtp, smtp SSL

This worked so far for normal operation without email protection enabled. Now we have enabled the UTM email protection as following:

 

- Transparent mode : off

- Simple Mode : on

- Listen Interfaces : All interfaces (for the moment)

- Routing|Domains : entred all our domains linke "ourdom.net"

- Routing|Route by : Static host list

- Routing|Host List : mail-DMZ (privat IP in DMZ of mail-server)

 

With this email protection setting we disabled the smtp service in the above firewall rule. Incoming smtp traffic stopped instantly to the mail server (as  exepted) but no incoming smtp traffic was intercepted by the UTM email protection nor routed toward the our mail-server (as the UTM email protection live log shows). So there is a missing part in our setup - I gues the UTM email protection is not "listening" on the public IP of our mail-server, although the email protection is listening on the interface level on all interfaces.
 
Many thanks for any hint. best regards,
 
André


This thread was automatically locked due to age.
Parents
  • 0

    You mention you have disabled the SMTP rule in firewall but did you also remove the NAT rules? NAT rules are being processed as one of the first rules and if the NAT rule is applied then the email protection will not be used.

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • 0 in reply to apijnappels

    Hello Bob, hello apijnappels

    Many thanks for responding.

    Before posting my question, I followed the mentioned post "Basic Exchange setup with SMTP Proxy". I do not see any difference in my settup - I do not use any upstream host, thus relaying is not activated.

    My DNAT rule in the Network Protection/NAT/NAT section is configured as following:

    - Any [source], Any [service], pulic IP mail-server [going to], DNAT to DMZ privat IP mail-server, Automatic Firewall rule off.

    As I turned the creation of "Automatic Firewall rule" off I have in the secion Network Protection/firewall the following rule to allow incoming traffic:

    - Any [source] imap, imap SSL, smtp, smtp SSL [services],  DMZ privat IP mail-server [destination], allow [action]. (and no automatic firewall rule for the DNAT entry).

    Actually "smtp" service is comprised in the above firewall rule in order incoming eMail traffic is working. If I delete the smtp service from the rule, obviously the incoming smtp traffic is not passed to our mail-server in the DMZ. But at this point the eMail-protection should take over the incoming smtp email traffic and route the processed emails to the mail-server in the DMZ. But unfortunately no incoming mail traffic is processed nor routed to the mail-server in the DMZ, thus the incoming smtp email traffic is broken until I will reinsert the smpt service in the above firewall rule. If the email protection logic "triggers" after any NAT and firewall rule, smtp traffic should arrive with smtp disabled on any firewall rule at the end of the rules list to the email protection, but that seems not to be the case.

    So I have to assume there is something missing in my setup. Does the email protection explicitly listen also on the other public IPs on the incoming interface, or  does it listen only on the UTM own IP (gateway IP)?

    Many thanks again and best regards,

    André

     

     

     

     

Reply
  • 0 in reply to apijnappels

    Hello Bob, hello apijnappels

    Many thanks for responding.

    Before posting my question, I followed the mentioned post "Basic Exchange setup with SMTP Proxy". I do not see any difference in my settup - I do not use any upstream host, thus relaying is not activated.

    My DNAT rule in the Network Protection/NAT/NAT section is configured as following:

    - Any [source], Any [service], pulic IP mail-server [going to], DNAT to DMZ privat IP mail-server, Automatic Firewall rule off.

    As I turned the creation of "Automatic Firewall rule" off I have in the secion Network Protection/firewall the following rule to allow incoming traffic:

    - Any [source] imap, imap SSL, smtp, smtp SSL [services],  DMZ privat IP mail-server [destination], allow [action]. (and no automatic firewall rule for the DNAT entry).

    Actually "smtp" service is comprised in the above firewall rule in order incoming eMail traffic is working. If I delete the smtp service from the rule, obviously the incoming smtp traffic is not passed to our mail-server in the DMZ. But at this point the eMail-protection should take over the incoming smtp email traffic and route the processed emails to the mail-server in the DMZ. But unfortunately no incoming mail traffic is processed nor routed to the mail-server in the DMZ, thus the incoming smtp email traffic is broken until I will reinsert the smpt service in the above firewall rule. If the email protection logic "triggers" after any NAT and firewall rule, smtp traffic should arrive with smtp disabled on any firewall rule at the end of the rules list to the email protection, but that seems not to be the case.

    So I have to assume there is something missing in my setup. Does the email protection explicitly listen also on the other public IPs on the incoming interface, or  does it listen only on the UTM own IP (gateway IP)?

    Many thanks again and best regards,

    André

     

     

     

     

Children
  • +1 in reply to relume

    That's a very long answer but I think still the DNAT rule is what is the culprit; you have a DNAT rule that's simply sending any (I would never ever do this) traffic to the mail server. The fact that this traffic is not allowed makes that it never reaches the mailserver and is dropped, but since the DNAT is still there it will never arrive to the mail protection. Switch off the DNAT and it should work.

    Also if you just forward the necessary ports in a DNAT and tick auto firewall rule, then only those ports are NATted and allowed. If you disable the DNAT the firewall rules are also automatically disabled, if you delete the DNAT the firewall rules are also deleted so I would advise to use Auto firewall rules for DNAT.

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • 0 in reply to apijnappels

    Hello apijnappels

    Many thanks again.  I did the changes you suggested in your last post:

    - disabled above manual firewall rules for in incoming emai-traffic

    - disabled above DNAT entry (any, any [service], to DMZ IP mail-server

    Then I made the settings as you mentioned:

    - new DNAT entry: Any [source], specific* [service], pulic IP mail-server [going to], DNAT to DMZ privat IP mail-server, Automatic Firewall rule "on".

    - created specific* service groupe for : imap, imap SSL, smtp, smtp SSL.

    Then I made the following:

    - Tested for correct direct DNAT incoming smtp traffic > it works like with the other setting (smtp allow in the firewall rule).

    - Deleted smtp from specific* service group > incoming smtp traffic is blocked and UTM email protection does not take over the processing and routing. No entry in the live log for receiving or processing any incoming traffic.

    - reinserted smtp in the specific* service group > direct incoming smtp traffic restarts to work, but no email protection is working as expected

    best regards,

    André

     

     

  • 0 in reply to relume

    Did you also try to completely disable the DNAT rule and see if in that scenario mail protection does kick in?

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • 0 in reply to relume

    OK, André, I suspect an error in the Proxy configuration.  On the 'Routing' tab, is your domain name entered correctly?  Is the IP of the Host definition in the 'Host List' correct?

    If those are correct, show us upto 100 lines of the SMTP log when you have the Proxy enabled and the traffic not captured by a DNAT.  In fact, rather than modifying your Any -> Any rule, you can just put a No NAT rule above it like 'No NAT : Any -> {24, 456, 587} -> External [Mail] Address'.  Enabling that will allow the SMTP Proxy to handle those Services and disabling it will let your DNAT capture that traffic.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hello apijnappels and Bob

    Many thanks again for your effort, I appreciate that very much.

    I have to admit, that lastly the UTM email protection could not take over, as I had overseen a copy of the DNAT rule Any, Any to mail-server that was enabled. So disabling this DNAT rule, the email protection takes now all incoming SMTP traffic as it should. My configuration now is:

    - DNAT entry: Any [source], specific* [service], pulic IP mail-server [going to], DNAT to DMZ privat IP mail-server, Automatic Firewall rule "on".

    -  specific* service groupe for : imap, imap SSL, smtp SSL.

    So far it works now correctly. Lastly I changed in the email protection|smtp|advanced tab also the FQDN name from the UTM to the FQDN of the mail server in order the UTM presents itself in the HELLO messages as our email server.

    Finally there is now one single remaining problem, that the UTM eMail protection seems to refuse incoming smtp traffic/emails that have in the message header the public IP of the UTM. This is the case if I am sending over an external foreign server account (mail client is Thunderbird) by 587 a message to my email address and account on our internal mail server. The UTM rejects this message as it claims the "message body has been probably altered in transition". Our mail server had never a problem with this, although it is very strict in correct message headers.

    best regards,

    André

  • 0 in reply to relume

    Hi André,

    Since this is a different question, it's best for you to create a new topic so everyone else who's looking for similar problems can more easily find the right topic for questions.

    Also in the new topic please be more specific as to how you are sending this mail: Is it from a remote internet connection while still using the UTM as SMTP gateway to send out this mail or is it something different? But please do so in a new topic to keep things clear.

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

Unfiltered HTML