Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 12 replies
  • Subscribers 1 subscriber
  • Views 6159 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Need help with mail server please

JamesSteen
I have to get mail to my server but I also need to allow the mail to come in from certain IP addresses such as 54.191.214.3  54.149.210.130. 25 or so to type in. Am I adding these from "Network Definitions" "Group" "????" "????"  please give me some help thanks. I will also need help with S - D NAT afterwards.

I am adding through 
Network Definition
Host
IP 123.456.789
Then adding the domain in DNS with reverse lookup on
pmta1.delivery10.ore.mailhop.org

Let me know if this is correct please.


This thread was automatically locked due to age.
  • 0
    You haven't gotten an answer because no one understands your question.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Sorry. I have my mail server behind UTM on 192.168.0.99 In order to receive mail I need to allow 28 ip addresses that come from the company DUOCircle.
    I currently have the IP's set up as Definitions - Network - Availability Group then added the IP address as well as the corresponding hostname and selected Reverse DNS.
    Am I setting the Allowable IP's correctly?

    Still no mail.
  • 0
    No. Set them as normal Network group. Availability group only resolves to 1 IP (the first reachable in the list).

    ----------
    Sophos user, admin and reseller.
    Private Setup:

    • XG: HPE DL20 Gen9 (Core i3-7300, 8GB RAM, 120GB SSD) | XG 18.0 (Home License) with: Web Protection, Site-to-Site-VPN (IPSec, RED-Tunnel), Remote Access (SSL, HTML5)
    • UTM: 2 vCPUs, 2GB RAM, 50GB vHDD, 2 vNICs on vServer (KVM) | UTM 9.7 (Home License) with: Email Protection, Webserver Protection, RED-Tunnel (server)
  • 0 in reply to scorpionking
    Ok. I have taken out the hostnames that went with each IP address and also changed the group to "Networking Group"
    I have also added the individual IP's into the Relay section of the Email Protection.

    I have also updated my S and D Nat.
    I will give it a few but no mail as of yet.
  • 0 in reply to JamesSteen
    Ok. The 28 different IP addresses can not be put in as 123.456.789/24 because they are not a whole block. Unless I am not understanding it correctly.
    So I need to get mail from outside to my mail server behind the firewall.
    I need to allow these 28 different IP addresses access to go to the mail server.
    Still no mail. Please tell me I am an IDIOT or help thanks.
    This is from DUOCircle's help page.

    Delivery Servers

    These IP's need to be in your firewall to ensure delivery from our network to your email server. 


    Delivery Group 1
    pmta1.delivery1.ore.mailhop.org / 54.191.214.3
    pmta1.delivery2.ore.mailhop.org / 54.149.210.130
    pmta1.delivery3.ore.mailhop.org / 54.191.214.36
    pmta1.delivery4.ore.mailhop.org / 54.191.151.194
    pmta1.delivery5.ore.mailhop.org / 54.148.219.64
    pmta1.delivery6.ore.mailhop.org / 54.149.206.185
    pmta1.delivery7.ore.mailhop.org / 54.186.27.61
    pmta1.delivery8.ore.mailhop.org / 54.191.158.99
    pmta1.delivery9.ore.mailhop.org / 54.186.172.23
    pmta1.delivery10.ore.mailhop.org / 54.149.36.10

    Delivery Group 2
    pmta2.delivery1.ore.mailhop.org / 54.149.155.156
    pmta2.delivery2.ore.mailhop.org / 54.69.130.42
    pmta2.delivery3.ore.mailhop.org / 54.213.22.21
    pmta2.delivery4.ore.mailhop.org / 54.200.247.200
    pmta2.delivery5.ore.mailhop.org / 54.186.218.12
    pmta2.delivery6.ore.mailhop.org / 54.200.129.228
    pmta2.delivery7.ore.mailhop.org / 54.149.205.143
    pmta2.delivery8.ore.mailhop.org / 54.148.222.11
    pmta2.delivery9.ore.mailhop.org / 54.148.30.215
    pmta2.delivery10.ore.mailhop.org / 54.69.62.154

    Delivery Group 3
    delivery1.ore.mailhop.org / 54.68.193.51
    delivery2.ore.mailhop.org / 54.186.60.165
    delivery3.ore.mailhop.org / 54.149.154.28
    delivery4.ore.mailhop.org / 54.148.229.97
    delivery5.ore.mailhop.org / 54.186.22.84
    delivery6.ore.mailhop.org / 54.149.26.35
  • 0
    Create a network object of type "Host" for every IP. Then create a network group and put all those created hosts in it.

    Now go to Email Protection -> SMTP -> Relaying and put this group in "Upstream Hosts/Networks".

    Und "Host based relay" you put your internal mail server.

    ----------
    Sophos user, admin and reseller.
    Private Setup:

    • XG: HPE DL20 Gen9 (Core i3-7300, 8GB RAM, 120GB SSD) | XG 18.0 (Home License) with: Web Protection, Site-to-Site-VPN (IPSec, RED-Tunnel), Remote Access (SSL, HTML5)
    • UTM: 2 vCPUs, 2GB RAM, 50GB vHDD, 2 vNICs on vServer (KVM) | UTM 9.7 (Home License) with: Email Protection, Webserver Protection, RED-Tunnel (server)
  • 0
    Scorpionking, since there's an FQDN for each IP, why not recommend a DNS Host definition for each member of the group?

    Biggdog, if you're using one of the DUOCircle services that does anti-spam/virus, you may want to skip the proxy altogether and just use a NAT rule:

    DNAT : {mailhop.org Group} -> {port you're using} -> External (Address) : to Mail Server


    Check #2 in Rulz to see that a DNAT takes precedence over the SMTP Proxy.

    Depending on your mail server, you probably want to change the Service to SMTP in that DNAT and add another NAT rule for outbound traffic like:

    SNAT : Any -> SMTP -> {mailhop.org IP you send to (smart host setting in the mail server)} : from External (Address) on {port you're using}




    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    OK. I created a DNS Host definition for each of the FQDN.
    I then added them to a Network Group 
    I could not add the group to Upstream Hosts/Networks so I added each individual DNS Host  "FQDN"

    I also changed my D-Nat and S-Nat.

    PS...
    How to take screen shot to show you in Astaro?? Sophos or just do a ctrl Print screen???

    Nothing yet. Thanks for responding I had kid issues last night.
  • 0
    You may or may not remember but I must get mail from port 2525.
    My S-Nat = For traffic from:External "WAN" Address - Using service:"SMTP" Going to: The DNS Hostnames AKA FQDN. - And the service to: SMPT 2525.

    D-Nat = For traffic from:The DNS Hostnames AKA FQDN. - Using service:SMPT 2525 - Going to:External "WAN" Address - And the service to:SMTP.
    I have nothing saying going to Mail Server but this is what I took from a while ago when you helped me out Bob.

    Still nothing. I do not know what I have done differently. I am going to rebuild web mail server.
  • 0
    I know you have told me before not to fill out both sections but after re-reading your post Bob I have done this. Please let me know if I am on the right track.

    D-Nat = For traffic from:The DNS Hostnames AKA FQDN. - Using service:SMPT 2525 - Going to:External "WAN" Address - Change the destination to: Mail Server - And the service to:SMTP.
Unfiltered HTML