This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SMTP Proxy dual wan

Dear all

I am trying to configure a rather strange setup. My customer has two WAN uplinks and a single Internal interface. On this internal interface we have the Internal Network (bound to the internal Interface) lets say it is 192.168.0.x and a seconf Internal Network 192.168.1.x. In the inside we have two seperate Exchange servers one on each network each servicing a large number of domains (more that twenty). Internal routing is handled by an L3 switch so the default gateway og 192.168.1.x network is the L3 switch which routes traffic to 192.16.0.1 which is the Astaro Internal interface IP.

The two Internal Networks must each use a different Extrnal WAN interface. I have created general multipath rules that send all traffic from Internal 1 network to the first External Interface and all traffic from Internal 2 Network. Relevant masquerading NAT rules are created.

Everything works well except the SMTP proxy traffic. SMTP is used in transparent mode with Profiles.

All mail leaving the mail server from 192.168.0.x leaves with the correct External WAN adress (an additinal address on the first External Interface) using source NAT rules. All mail leaving the Mail server of internal lan 192.168.1.0 also leaves with the same External WAN address. I would like this mail server to send out mails using the External IP of the second External Interface.

Temporalily i have added the internal ip of the second mail server (192.168.1.5) on the SMTP proxy Transparent skip list but this of course does not filter outgoing emails. In this way however mails leave with the correct External Interface.

Any advice?

Regards

Antonis Constantinou.


This thread was automatically locked due to age.
Parents
  • This capability was added for HTTP, but has not yet been added for SMTP.  You can imagine that this requires extra steps to mark a packet, move it differently and then strip the extra marks before sending it.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Re questioning about this Bob.
    Any chance for dual hostnames?

  • If there isn't an RDNS entry for an IP address, your mail will most likely be bounced. We actually had this with the setup I've just mentioned above as the A & PTR record hadn't been set up. Just enabling the 2 uplink interfaces pushed 50% of the mail out through the 2nd interface and it bounced.

    Fortunately, we were watching for it and expecting it also. The solution was to create the multipath rule and chuck 100% smtp via the 1st interface until we got the A, PTR & MX records in place.

    As far as I'm aware, most anti-spam solutions will do a reverse lookup first to make sure the sending IP has a valid A & PTR record with it. The mail will get bounced right there if the receiving server can't connect or find a PTR record. They will then move on to the more exotic stuff like SPF, DKIM & DMARC to increase or decrease the score.

    We're quite pleased with our setup and are still tweaking it as we're in the process of completely switching the sites ie SITE B (failover site) will become the primary site in the event of an outage at SITE A (primary site) becoming offline for a reason.

  • Ok lets say the IPs have PTR and MX configured. What about SMTP Banner HELO?

    For this i am worried

  • Never had an issue. As long as there is a PTR record for the sending IP, mail will usually flow. Think of a single server sending for multiple domains.

    And of course, when you start to configure SPF etc, you would have to take into account the sending mail server/domain.

    But the HELO/EHLO doesn't have to match the users domain. It just have to have an IP with a PTR which matches.

  • Thank you for the explanation. It will be your fault if  I go Blacklisted :)

  • here some test and strange behavior of my UTM 

    "WorkUTM" has 2 UPLINK
    Receives emails from both, but sends only from one (defined with mulipath rule). Second WAN not published in any DNS records etc.

    HOW I tested sending emails to second IP? Simple, defined the mail.hostname.com with the second ip in my "homeUTM"
    But my "HomeUTM" doesnt accept emails from my "WorkUTM" with the primary WAN-IP
    [79.x.x.x]: 550 Invalid RDNS entry for 80.x.x.x

    Tried to define the mail.hostname.com (work) with two IP, without success 

  • You know so much, Olsi, that I didn't think of this.  Like Louis said, you only need to make sure your authoritative name server entries tell the full story:

    mail1.hostname.com A 22.33.44.55                     <-- EDIT 2018-02-22 Corrected mail2 to mail1
    55.44.33.22.in-addr.arpa ptr mail1.hostname.com

    mail2.hostname.com A 22.33.44.56
    56.44.33.22.in-addr.arpa ptr mail2.hostname.com

    v=spf1 ip4:22.33.44.55 ip4:22.33.44.56 -all

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Yes some DNS zones allow that

  • Found one article to edit exim.conf Bob 
    And it works When i hit telnet 79.106.x.x 25, respond utm.xxxx.com
    When I hit telnet 192.168.2.1 25 responds local.xxxx.com

    Maybe its hard for developers to implement it

  • There can be very many domains hosted behind a single HELO string.  There must be tens of thousands behind mail-cys01nam02on0094.outbound.protection.outlook.com and the other servers for Office 365.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I wanted only correct smtp banner for the correct IP, just that

Reply Children
  • I don't think that there's an RFC requirement that there be a different SMTP banner for different IPs or for different domains.  I can see that a hosting provider might not be set up like outlook.com and would want to offer customized SMTP banners for its customers.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA