I've searched the forums fairly extensively but can't seem to find a solution that matches the concern that i have so I'm going to post it here and see if I can get some help.
If you do respond please feel free to explain like I'm a 4 year old who needs explicit directions.
Astaro Security Gateway 8.003
I have a single mail server that sits behind the firewall and is connected to via external IMAP users as well as being the primary mail server that sends email.
Firewall
WAN: ***.***.***.100
LAN: 10.0.0.1
Mail Server (mail-01)
WAN: ***.***.***.105
LAN: 10.0.0.5 [Definitions->Networks->Host]
Mail Security --> Routing
* Domains (example.com) - added
* Route by: Static Host List
* Host List (mail-01)
* With Callout
Mail Security --> AntiVirus
* AntiVirus check footer CHECKED
Mail Security --> AntiSpam
* Reject at SMTP Time: Confirmed Spam
* Advanced anti-spam features: ALL CHECKED
Mail Security --> Exceptions
* NONE
Mail Security --> Relaying
* Allow Authenticated Relaying - CHECKED
* Allowed users/groups (email security group - custom created)
* Allowed hosts/networks (Internal (network))
* Scan relaying (outgoing) messages - CHECKED
Mail Secuirty --> Advanced
* NONE (other than default Advanced settings)
DNAT/SNAT - NETWORK SECURITY
Inbound Mail DNAT
Any --> Email Messaging (IMAP,POP3,SMTP + all SSL versions) --> Ext WAN .105 --> mail-01
Outbound Mail SNAT
mail-01 --> SMTP --> Any -->Ext WAN .105
RESULTS OF ABOVE CONFIGURATION
I can send and receive email correctly.
The mail server is configured to ensure it is not an open relay.
The email header when delivered shows the correct HELO from the mail server.
The issue is that it appears that neither inbound or outbound emails are being scanned by the Astaro firewall.
This makes sense in regards to the outgoing email as am I'm not relaying through the Astaro. I would have thought however that the antiVirus and antiSpam features of the Astaro gateway would still be in effect on inbound email.
I am getting a TON of spam emails in my inbox with this current configuration and the mail manager shows that there are NO stored or quarantined messages which makes me believe that Astaro is not scanning those messages.
OPTION TWO
Mail Security --> Advanced
* Use Transparent Mode - CHECKED
This change appears to intercept inbound and outbound SMTP traffic (as indicated in info), which on the surface seems to be the solution.
This change however means that all outbound email now goes out on WAN ***.***.***.100 instead of ***.***.***.105 as before. In order to solve this I add the SNAT rule;
Ext WAN .100 --> SMTP --> Any -->Ext WAN .105
This forces SMTP traffic on the firewall to use the Ext mail IP that I have all my RDNS setup on.
While this solution would work if I only ever have a single mail server behind the firewall, as soon as I would add a second internal mail server I would have the problem of trying to redirect SMTP traffic on Ext WAN .100 to more than one Ext WAN IP address which I don't think Astaro can do.
DESIRED SOLUTION
I want to have a mail server (or multiple mail servers should I need) behind the firewall that can send outbound email which can be scanned by Astaro prior to being sent. I also want all incoming SMTP mail to that mail server to be scanned by Astaro for virus and spam before it reaches my mail server.
It does not matter if all SMTP authentication is done by the mail server itself (as present configuration does), or if I need to utilize Authenticated relay with allowed users/groups as would be required with Transparent Mode.
My current configuration works but seems to bypass Astaro which seems to defeat the benefits offered by Astaro. I'm a little lost on what piece of this i'm missing, whether it's configuring Interfaces & Routing --> Static routing or whether Astaro really is scanning inbound and I'm just not seeing it.
At the very least I want Astaro to scan inbound email, outbound is a "nice to have" not a "need to have".
Any thoughts, suggestions and/or detailed ideas you have would be greatly appreciated.
Thanks
Ryan
This thread was automatically locked due to age.
