Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 8 replies
  • Answers 1 answer
  • Subscribers 3 subscribers
  • Views 63361 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to Setup?

UserD
hello,

i have a question how to setup the mail security?
we have a exchange internal.
do i need to change anythink on the exchange?
is the a how to anywhere?
is search in the astaro kb but found nothing.

thanks
D.


This thread was automatically locked due to age.
  • 0

    Basic Exchange setup with SMTP Proxy

    The smart host setting in the SMTP Connector in Exchange Manager must point to the "Internal (Address)" of the Astaro. If you already had a different setting in Exchange, pointing at an external smart host that you must use, you must transfer that to the Astaro's 'Smarthost settings' at the bottom of the 'Advanced' tab.

    Other than that, here's the basic Exchange installation by tab:

    • - 'Global': "Simple mode"
    • - 'Routing': Add yourdomain.com to 'Domains', choose 'Route by' "Static host list" and add the host definition for your Exchange server. 'Verify recipients' "with callout."
    • - 'AntiVirus': should be OK as delivered
    • - 'AntiSpam': 'Reject at SMTP Time' "Confirmed Spam." Check 'Use recommended RBLs'. For your 'Spam filter' selections, click on the ? at the top of the page to read the help and decide for yourself. All of the 'Advanced anti-spam features' should be selected. I usually deselect 'Greylisting', but others here like it.
    • - 'Exceptions': should be OK as delivered
    • - 'Relaying': If your Exchange server also receives mail via an upstream host, you'll need to add the upstream host to the list at the top. Add the host definition for Exchange to 'Host-based relay'; don't include your internal network. Do leave 'Authenticated relay' empty. At the bottom, select to have outgoing mail scanned.
    • - 'Advanced': Don't select 'Use transparent mode'! In 'Advanced settings', modify if needed the 'SMTP hostname' and/or 'Postmaster address'


    Don't forget to disable any DNAT that was forwarding inbound SMTP to Exchange or to a different anti-spam device as that takes precedence over the SMTP Proxy. If you want outbound mail to leave with the IP of an Additional Address named "Mail," you will need to 'SNAT : Any -> SMTP -> Internet : from External [Mail] (Address)'.

    Et voilà!

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    The simplest configuration is simply to enable SMTP scanning and select Transparent Mode on the Advanced tab, then specify your Exchange server as the internal destination on the Routing tab.

    If you want to force your LAN clients to send outbound mail via your Exchange server, then add only your server to the Host-Based Relay list on the Relaying tab, else add your internal network.

    The only thing you might need to change on your exchange server would be to eliminate your Astaro's address from any RBL checking, since it will now appear as the last hop on all incoming SMTP traffic.
  • 0
    Bob,

    I posted a reply myself but noticed that you had beaten me to it and that some of my recommendations conflicted with yours.  So I deleted mine to avoid confusion, figuring it was better to discuss the differences than post conflicting suggestions.

    The specific differences are in your last two bullets.  I have mine set up in transparent mode, and I have my internal networks specified in the "Host-based relay" list.  If transparent mode is turned off, now does the proxy intercept the traffic?   With a web proxy, one can configure the client browsers to point to the proxy, but how does one do that for SMTP?  Or does it intercept port 25 traffic anyway, in which case isn't the Transparent setting redundant?

    Do you not allow internal networks to relay, in order to force them to send via the internal server?

    My setup has always worked for me, but if it's not the best way to do it, then I'm eager to learn.

    Cheers,
      Jon.
  • 0
    Well, since I didn't go to OU, I can say it: it's great having your particpation here, Jon! [;)]  Learning, teaching and helping - that's what this place is about!

    The idea of the 'Relaying' tab is, "What SMTP traffic coming to me (the SMTP Proxy) am I allowed to relay?"  In an Exchange environment, this is usually just the Exchange server itself.  Having 'Transparent' enabled or including 'Internal (Network)' in 'Host-based relay' means that any infected PC can send thousands of solicitations an hour for your most-un-favorite Nigerian fraudster.

    With only the host definition for Exchange in 'Host-based relay', the Proxy knows that that's the only source of SMTP it should accept for relaying, so, yes, that forces everyone to authenticate to the Exchange server.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Should we also disable DNAT that was forwarding inbound IMAP to the local Exchange server?

  • 0 in reply to BenoitLambert

    The UTM's Email Protection does not (yet!) include an IMAP proxy, so your DNAT for that remains necessary.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

    sorry for returning to this old thread, but I am a bit confused on the Transparent mode or not. Following the question from "" I also would enable Transparent mode to intercept all port 25 traffic - no hosts in "Skip Transparent Mode Hosts/Nets". Otherwise you will need to DNAT to the internal mail server.

    Yes, only internal mailserver in Allowed SMTP hosts on the Relaying tab.

    Am I missing something here?

    /Claus, DK

  • 0 in reply to Claus BrochChristensen

    Transparent mode isn't needed to avoid DNAT, Claus.  All SMTP traffic from the Internet that hits an Interface with a default gateway will be captured by the SMTP Proxy without Transparent mode.  SMTP traffic from the internal mailserver will be captured by the SMTP Proxy without Transparent mode.

    In Transparent mode, the SMTP Proxy will also capture all SMTP Traffic that hits Interfaces without a default gateway.  This can allow infected PCs to spam the world and get your IP onto many RBLs.  I recommend using Transparent only for debugging purposes and leaving it off virtually all of the time.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML