Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 9 replies
  • Subscribers 3 subscribers
  • Views 2669 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

email protection (incoming) for mail server in DMZ (DNAT) with own public IP

relume

UTM 9.702

Hello

I apologize if this email protection related setup question has been answered already elsewhere - I just did not found a answer that seems to suites our setup.

We have an email server behind the UTM in a privat DMZ network and it has its own public IP address. So we do DNAT/SNAT with manual Firewall rules. We want to be processed incoming (only incoming) email by the UTM email protection functionality. We hade configured the incoming manual firewall rules like:

- any to mail-DMZ with: imap, imap SSL, smtp, smtp SSL

This worked so far for normal operation without email protection enabled. Now we have enabled the UTM email protection as following:

 

- Transparent mode : off

- Simple Mode : on

- Listen Interfaces : All interfaces (for the moment)

- Routing|Domains : entred all our domains linke "ourdom.net"

- Routing|Route by : Static host list

- Routing|Host List : mail-DMZ (privat IP in DMZ of mail-server)

 

With this email protection setting we disabled the smtp service in the above firewall rule. Incoming smtp traffic stopped instantly to the mail server (as  exepted) but no incoming smtp traffic was intercepted by the UTM email protection nor routed toward the our mail-server (as the UTM email protection live log shows). So there is a missing part in our setup - I gues the UTM email protection is not "listening" on the public IP of our mail-server, although the email protection is listening on the interface level on all interfaces.
 
Many thanks for any hint. best regards,
 
André


This thread was automatically locked due to age.
Parents
  • 0

    You mention you have disabled the SMTP rule in firewall but did you also remove the NAT rules? NAT rules are being processed as one of the first rules and if the NAT rule is applied then the email protection will not be used.

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • 0 in reply to apijnappels

    Hello Bob, hello apijnappels

    Many thanks for responding.

    Before posting my question, I followed the mentioned post "Basic Exchange setup with SMTP Proxy". I do not see any difference in my settup - I do not use any upstream host, thus relaying is not activated.

    My DNAT rule in the Network Protection/NAT/NAT section is configured as following:

    - Any [source], Any [service], pulic IP mail-server [going to], DNAT to DMZ privat IP mail-server, Automatic Firewall rule off.

    As I turned the creation of "Automatic Firewall rule" off I have in the secion Network Protection/firewall the following rule to allow incoming traffic:

    - Any [source] imap, imap SSL, smtp, smtp SSL [services],  DMZ privat IP mail-server [destination], allow [action]. (and no automatic firewall rule for the DNAT entry).

    Actually "smtp" service is comprised in the above firewall rule in order incoming eMail traffic is working. If I delete the smtp service from the rule, obviously the incoming smtp traffic is not passed to our mail-server in the DMZ. But at this point the eMail-protection should take over the incoming smtp email traffic and route the processed emails to the mail-server in the DMZ. But unfortunately no incoming mail traffic is processed nor routed to the mail-server in the DMZ, thus the incoming smtp email traffic is broken until I will reinsert the smpt service in the above firewall rule. If the email protection logic "triggers" after any NAT and firewall rule, smtp traffic should arrive with smtp disabled on any firewall rule at the end of the rules list to the email protection, but that seems not to be the case.

    So I have to assume there is something missing in my setup. Does the email protection explicitly listen also on the other public IPs on the incoming interface, or  does it listen only on the UTM own IP (gateway IP)?

    Many thanks again and best regards,

    André

     

     

     

     

  • +1 in reply to relume

    That's a very long answer but I think still the DNAT rule is what is the culprit; you have a DNAT rule that's simply sending any (I would never ever do this) traffic to the mail server. The fact that this traffic is not allowed makes that it never reaches the mailserver and is dropped, but since the DNAT is still there it will never arrive to the mail protection. Switch off the DNAT and it should work.

    Also if you just forward the necessary ports in a DNAT and tick auto firewall rule, then only those ports are NATted and allowed. If you disable the DNAT the firewall rules are also automatically disabled, if you delete the DNAT the firewall rules are also deleted so I would advise to use Auto firewall rules for DNAT.

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • 0 in reply to apijnappels

    Hello apijnappels

    Many thanks again.  I did the changes you suggested in your last post:

    - disabled above manual firewall rules for in incoming emai-traffic

    - disabled above DNAT entry (any, any [service], to DMZ IP mail-server

    Then I made the settings as you mentioned:

    - new DNAT entry: Any [source], specific* [service], pulic IP mail-server [going to], DNAT to DMZ privat IP mail-server, Automatic Firewall rule "on".

    - created specific* service groupe for : imap, imap SSL, smtp, smtp SSL.

    Then I made the following:

    - Tested for correct direct DNAT incoming smtp traffic > it works like with the other setting (smtp allow in the firewall rule).

    - Deleted smtp from specific* service group > incoming smtp traffic is blocked and UTM email protection does not take over the processing and routing. No entry in the live log for receiving or processing any incoming traffic.

    - reinserted smtp in the specific* service group > direct incoming smtp traffic restarts to work, but no email protection is working as expected

    best regards,

    André

     

     

  • 0 in reply to relume

    Did you also try to completely disable the DNAT rule and see if in that scenario mail protection does kick in?

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

Reply
  • 0 in reply to relume

    Did you also try to completely disable the DNAT rule and see if in that scenario mail protection does kick in?

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

Children
No Data
Unfiltered HTML