I have a kludge way for this to work. Not exactly as you want, but better than nothing.
1) No DNAT Rule
2) You will need to create a user account for each of your remote workers on the Astaro. Either use backend auth or have it be a separate local account, but the password MUST match the one entered into their email client. I believe that the username is case sensitive for Astaro as well (had an issue with this a long time ago, maybe it's resolved now, but I still just make certain that the account entered in Astaro and the email client have matching case.).
3) Add these user accounts to the authenticated relay box.
When a remote user tries to send an email, they will be authenticated against Astaro, which will then forward the email onto your internal email server. This way you get security from unauthorized realy and filtering capabilities.
It would be great if Astaro could do filtering AND forward authentication requests onto the mail server, but that capability just doesn't exist that I've been able to figure out.
i have same problem..
my scenario:
linux mail server with virtula users/domains
before i enabled smtp proxy in sophos i ised nat rules from wan to lan all email ports i need,the problem smapassain an clama on mail server..
so i enabed smtp protection:
simple mode
routing settings:
domains: my.com
host list: lan ip of my mail server
verify recipients: with callout
relaying settings:
checked authenticated users
creat a local user in sophos for relaying
allow hosts: mail server lan ip
advanced settings:
not use transparent
createca in stratcom ssl and configured it for tls
in my mail server configure relay configuration that use sophos smtp(authentication for sophos smtp with local user that i created)
testing:)
when i send mail from gmail to xxx@my.com>working good,sophos check the recipient in internal mail,scanning the mail and deliver it to internal mail to the recipient
when i sending mail from my webmail(my webmail on the mail server,same server!!!),work good ,it use sophos relay,all scans working
BUT i can use anymore mail client like oulook,when i configure smtp in otlook,it dot authenticate mail server,it try authenticate sohhos smtp...
I don't agree with the approach that atv insisted on taking six years ago. Try what i suggested...
Cheers - Bob