This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Setup Sophos UTM 9 as a smart host to relay to Mimecast

Hi

We currently have 2x UTM 9 on different sites and have an issue with our outbound mail flow in a DR scenario.

The mail flows fine though our primary site but we cannot get it to route through to the secondary site, so I guess this is a routing issue of some sort.

We have got inbound mail working ok via both sites, so I think we need to redesign the outbound somehow.


The current exchange setup has one send connector which specifies 2 mimecast dns entries as its smart hosts. When doing a telnet you can hit these fine. 

What we would like to do is change the send connectors smart hosts to point to the internal address of the UTMs at each site instead.

This would hopefully give the flexibility we need for outbound mail in a DR scenario, unless there is a better way of doing it?

I have tried doing a telnet to the internal IP address of the UTM on port 25 but it does not work.

So I am after some advice on the best practice for the UTM to relay SMTP traffic from our exchange servers IP addresses directly to mimecast. 

We do not need any additional functionality that the UTM has in regards to email scanning etc as this is already done for us.

I have taken a look on the community and come across similar situations but I would like some more clarity on how to do this please

.

Any advice is grateful.



This thread was automatically locked due to age.
Parents
  • Hi and welcome to the UTM Community!

    First, those two FQDNs both have the same six A records and use the same four authoritative name servers, so I would think that only one of the two is needed.

    Are the UTMs' SMTP Proxies configured?

    I'm confused as to what you mean by "mail flows fine though our primary site but we cannot get it to route through to the secondary site" - is this an Exchange issue or an email client issue?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob

    Thanks for the reply.

    I think originally we added the 2x mimecast addresses for added resilience, but we can take one of these out. 

    We have an on premise exchange 2016 system for email currently. 

    We are not currently using the email functionality of the UTMs, but this is something we are now investigating with this issue.

    The idea is to change the send connector on exchange to point to both the UTM addresses.

    I guess then use the Email functionality of the sophos UTM get this to them route/proxy all SMTP traffic to mimecast.

    The issue we are experiencing is the exchange side not the client side.

    An issue we experienced where this happened was if we lose internet connectivity to the primary UTM, our exchange server still sends mail this way as the infrastructure can still see the default gateway.

    If the UTM went offline our infrastructure is set to change the DGW to our DR site UTM if that makes sense.

    So I am looking at an option at the send connector side of exchange to point to both of the UTMs rather than route mail directly to mimecast through them.

    We have an issue with our primary site UTM and have a ticket open with Sophos for a different issue, and we need to be able to fail services over, this is why we are trying to resolve this first.

    On a different note if we use the SMTP proxy/relay are you able to set this to use a public facing IP address instead of the firewall ext int IP?

    Thankyou for your help so far.

    Rgds

    Ben

  • I think I'm not following, Ben.  Some questions:

    1. If your WAN connection is down, how do you reach the second site?
    2. Is the second site a DR site with an Exchange server that is continually replicated from the Exchange in the primary site?

    Depending on the answers, the solution may be as simple as using an Availability Group in an SNAT.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • I think I'm not following, Ben.  Some questions:

    1. If your WAN connection is down, how do you reach the second site?
    2. Is the second site a DR site with an Exchange server that is continually replicated from the Exchange in the primary site?

    Depending on the answers, the solution may be as simple as using an Availability Group in an SNAT.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • 1. Our second site has resilient LES circuit links which allow the primary and dr site to connect directly.

    2. There is a failover exchange server on the DR site in case of a full datacentre fail.

    I think we have managed to work this out for resilient outbound mail flow now, with your availability group and SNAT/DNAT idea instead of using the default gateway on the primary site or using the SMTP functionality module of the UTM.

    We have setup the firewall on the UTMs to listen for port 25 traffic on its internal eth for specific internal IP addresses on the network, these being the exchange servers.

    The UTM will route any smtp traffic outbound to our mimecast cloud account directly via its external int.

    Mimecast is set to accept smtp traffic from one of our public facing IP addresses at each site which the UTM uses.

    On the exchange servers I can telnet from the exchange server to the internal IP address of the UTM at each site and get a response from the mimecast servers.

    This will now allow me to put the UTM internal eth IPs at each site as the smarthost in exchange for the outbound mail flow.

    Using one smart connector if there is an issue that is beyond the UTM it is easy to remove one of these IPs for outbound mail flow.

    It should also loadbalance the outbound mail via the 2 different connections now.

    many thanks