Advisory: Sophos Endpoint "Your connection isn't private" after reboot. Policy settings can be returned to normal. See: KB-000045954 for the latest updates.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM Email Protection Setup Network Design

Hi All,

             I am new to Sophos UTM Email Protection, need some assistance from the experts. I have my Sophos UTM (multiple subscriptions e.g. WAF, Email Protection etc.) in DMZLAN, the (Internal) Email Servers are also in DMZLAN. All network segments are using  another Firewall as Gateway. 

To ensure that both incoming and outgoing Emails are secured/processed by Sophos UTM Email Protection, what I have to do on the Firewall (Gateway) or on Sophos UTM (apart from configuring the Email Protection section described in "Basic Exchange setup with SMTP Proxy"  community blog).

so my main question is how/what traffic  to redirect to Sophos UTM as it is not the Default GW for incoming/outgoing Email traffic. Can someone pleases elaborate detailed steps?



Thanks in Advance

 



This thread was automatically locked due to age.
Parents
  • You should use the Sophos UTM IP as Smarthost in your Mailserver (so all mails flow outgoing to this IP/Sophos UTM) and allow the IP of the Mailserver as allowed host for relay in the SMTP Profile (option relay) of the UTM (so that the UTM will accept the Mails from your Mailserver) .

    Additionally you have to check if your Mailserver needs an additional route to the Sophos UTM if your Mailserver use an other Gateway as Default GW. (Traffic UTM < - > Mailserver must be possible!)

    Hint: Also check your Domain E-Mail Spam-Settings (RDNS / SPF / MX) if your UTM should receive and send mails from/to the Internet. (mxtoolbox.com works well to check that)

    regards

    Steve

Reply
  • You should use the Sophos UTM IP as Smarthost in your Mailserver (so all mails flow outgoing to this IP/Sophos UTM) and allow the IP of the Mailserver as allowed host for relay in the SMTP Profile (option relay) of the UTM (so that the UTM will accept the Mails from your Mailserver) .

    Additionally you have to check if your Mailserver needs an additional route to the Sophos UTM if your Mailserver use an other Gateway as Default GW. (Traffic UTM < - > Mailserver must be possible!)

    Hint: Also check your Domain E-Mail Spam-Settings (RDNS / SPF / MX) if your UTM should receive and send mails from/to the Internet. (mxtoolbox.com works well to check that)

    regards

    Steve

Children
  • Hello,

    at least you need to forward tcp port 25 on your other firewall/gateway to the IP of the Sophos UTM so that external mails are reaching your new mail-gateway. I would do this with a DNAT on the other firewall.

    This is in addition to what Steve Weißflog already said.

    Next thing is to either route all outgoing traffic to the internet to your default-gateway, or to use a smarthost at your ISP. Either wy, you wil have to setup a firewall rule on your existing firewall to allow that traffic.

    When this is done, you can concentrate on the mail setup at your Sophos UTM. That's where we can help you further.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • Dear Steve,

                           Thank you very much for your email. I am using ATMail 6.5 version (bit old). I couldn't really find smarthost IP option in Web GUI (admin console).  The MAIL Server and Sophos EMail Protection are in the same LAN and reachable. 

  • Thanks Phillip for your reply as well.  Really appreciate your help. Will configure port forwarding of SMTP traffic to Sophos UTM on my Gateway.

  • You can just use google ATMail 6.5 and smarthost...

    I don´t know ATMail 6.5...