This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to Setup?

hello,

i have a question how to setup the mail security?
we have a exchange internal.
do i need to change anythink on the exchange?
is the a how to anywhere?
is search in the astaro kb but found nothing.

thanks
D.


This thread was automatically locked due to age.
Parents
  • Well, since I didn't go to OU, I can say it: it's great having your particpation here, Jon! [;)]  Learning, teaching and helping - that's what this place is about!

    The idea of the 'Relaying' tab is, "What SMTP traffic coming to me (the SMTP Proxy) am I allowed to relay?"  In an Exchange environment, this is usually just the Exchange server itself.  Having 'Transparent' enabled or including 'Internal (Network)' in 'Host-based relay' means that any infected PC can send thousands of solicitations an hour for your most-un-favorite Nigerian fraudster.

    With only the host definition for Exchange in 'Host-based relay', the Proxy knows that that's the only source of SMTP it should accept for relaying, so, yes, that forces everyone to authenticate to the Exchange server.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    sorry for returning to this old thread, but I am a bit confused on the Transparent mode or not. Following the question from "" I also would enable Transparent mode to intercept all port 25 traffic - no hosts in "Skip Transparent Mode Hosts/Nets". Otherwise you will need to DNAT to the internal mail server.

    Yes, only internal mailserver in Allowed SMTP hosts on the Relaying tab.

    Am I missing something here?

    /Claus, DK

  • Transparent mode isn't needed to avoid DNAT, Claus.  All SMTP traffic from the Internet that hits an Interface with a default gateway will be captured by the SMTP Proxy without Transparent mode.  SMTP traffic from the internal mailserver will be captured by the SMTP Proxy without Transparent mode.

    In Transparent mode, the SMTP Proxy will also capture all SMTP Traffic that hits Interfaces without a default gateway.  This can allow infected PCs to spam the world and get your IP onto many RBLs.  I recommend using Transparent only for debugging purposes and leaving it off virtually all of the time.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • Transparent mode isn't needed to avoid DNAT, Claus.  All SMTP traffic from the Internet that hits an Interface with a default gateway will be captured by the SMTP Proxy without Transparent mode.  SMTP traffic from the internal mailserver will be captured by the SMTP Proxy without Transparent mode.

    In Transparent mode, the SMTP Proxy will also capture all SMTP Traffic that hits Interfaces without a default gateway.  This can allow infected PCs to spam the world and get your IP onto many RBLs.  I recommend using Transparent only for debugging purposes and leaving it off virtually all of the time.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data