This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SMTP Proxy dual wan

Dear all

I am trying to configure a rather strange setup. My customer has two WAN uplinks and a single Internal interface. On this internal interface we have the Internal Network (bound to the internal Interface) lets say it is 192.168.0.x and a seconf Internal Network 192.168.1.x. In the inside we have two seperate Exchange servers one on each network each servicing a large number of domains (more that twenty). Internal routing is handled by an L3 switch so the default gateway og 192.168.1.x network is the L3 switch which routes traffic to 192.16.0.1 which is the Astaro Internal interface IP.

The two Internal Networks must each use a different Extrnal WAN interface. I have created general multipath rules that send all traffic from Internal 1 network to the first External Interface and all traffic from Internal 2 Network. Relevant masquerading NAT rules are created.

Everything works well except the SMTP proxy traffic. SMTP is used in transparent mode with Profiles.

All mail leaving the mail server from 192.168.0.x leaves with the correct External WAN adress (an additinal address on the first External Interface) using source NAT rules. All mail leaving the Mail server of internal lan 192.168.1.0 also leaves with the same External WAN address. I would like this mail server to send out mails using the External IP of the second External Interface.

Temporalily i have added the internal ip of the second mail server (192.168.1.5) on the SMTP proxy Transparent skip list but this of course does not filter outgoing emails. In this way however mails leave with the correct External Interface.

Any advice?

Regards

Antonis Constantinou.


This thread was automatically locked due to age.
Parents
  • This capability was added for HTTP, but has not yet been added for SMTP.  You can imagine that this requires extra steps to mark a packet, move it differently and then strip the extra marks before sending it.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Re questioning about this Bob.
    Any chance for dual hostnames?

  • Not sure what your question is, Olsi.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Any chance to add additional hostname for SMTP, in the backup wan for example

  • Have to ask the guru Bob here.

    My understanding is you can get the SMTP to leave via different IP via multipath rules but you can only receive on 1 IP ie the SMTP Proxy. Now that might create an issue with RDNS lookups by anti-spam servers etc

    I'll check tomorrow. We have a load balanced UTM cluster 2x SG330 at one location and another 2x SG330 cluster. Each 50 miles away connected via a 1gb PtP.

    Having said that, we are utilizing SMTP proxy at both sites which then relay to exchange load balancers so there are 2x smtp proxy in play here which might explain why RDNS lookups work etc.

    So as below:

    OUTGOING: Exchange Transport Servers (NLB) > SITE A UTM SMTP Proxy > Multipath > 50% to internet & 50% to SITE B UTM SMTP Proxy > Internet

    INCOMING: Primary MX > SITE A UTM Proxy > (NLB) Exchange Transport servers
                       Backup MX > SITE B UTM Proxy > (NLB) Exchange Transport servers

Reply
  • Have to ask the guru Bob here.

    My understanding is you can get the SMTP to leave via different IP via multipath rules but you can only receive on 1 IP ie the SMTP Proxy. Now that might create an issue with RDNS lookups by anti-spam servers etc

    I'll check tomorrow. We have a load balanced UTM cluster 2x SG330 at one location and another 2x SG330 cluster. Each 50 miles away connected via a 1gb PtP.

    Having said that, we are utilizing SMTP proxy at both sites which then relay to exchange load balancers so there are 2x smtp proxy in play here which might explain why RDNS lookups work etc.

    So as below:

    OUTGOING: Exchange Transport Servers (NLB) > SITE A UTM SMTP Proxy > Multipath > 50% to internet & 50% to SITE B UTM SMTP Proxy > Internet

    INCOMING: Primary MX > SITE A UTM Proxy > (NLB) Exchange Transport servers
                       Backup MX > SITE B UTM Proxy > (NLB) Exchange Transport servers

Children
No Data