This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Emails not routed to Exchange server

Hello,

I configured my first Sophos Firewall.

Initial configuration was OK for relaying mail from/to my Exchange server.
Then, I activated the Mail Protection and... problems appeared.

1) I have a NAT rule to my Exchange server (10.0.0.63) on port 25.  During the first days (untill activation of Mail Protection, it worked).

2) I can see the SMTP packets coming :

18:41:11 NAT rule #1 TCP  
67.214.175.93 : 46027
192.168.2.2 : 25
 
[SYN] len=60 ttl=48 tos=0x18 srcmac=08:76:ff:e1:d9:fe dstmac=00:1a:8c:40:f6:25
18:41:11 NAT rule #1 TCP  
67.214.175.93 : 46028
192.168.2.2 : 25
 
[SYN] len=60 ttl=48 tos=0x18 srcmac=08:76:ff:e1:d9:fe dstmac=00:1a:8c:40:f6:25

3) I choosed the Simple Mode, and I configured my domain name (mydomain.com) and added the Exchange Server in the Host List

4) However, the mails are blocked :

25-18:48:03 my-fw-01 exim-out[4185]: 2016-05-25 18:48:03 1b5bcq-0000KN-GL 10.0.0.63 [10.0.0.63]:25 No route to host

2016:05:25-18:48:03 my-fw-01 exim-out[4184]: 2016-05-25 18:48:03 1b5bcq-0000KN-GL == myname@mydomain.com R=static_route_hostlist T=static_smtp defer (113): No route to host
2016:05:25-18:48:03 my-fw-01 exim-out[4236]: 2016-05-25 18:48:03 1b5b3C-0007os-FV == myname@mydomain.com R=static_route_hostlist T=static_smtp defer (-53): retry time not reached for any host
 
 
5) I disabled the Mail Protection system but... result is still the same !  I cannot receive/send any mail.
 
 
 
Could you please provide some help ?
 
Thanks in advance.


This thread was automatically locked due to age.
Parents
  • You do not need to use NAT.

    The best way to set the UTM and exchange up is:

    Incoming mail: INTERNET > UTM SMTP Proxy > EXCHANGE
    Outgoing mail: EXCHANGE > UTM SMTP Proxy > INTERNET

    Remove you nat rule and ensure that your public DNS points to the UTM ip address or one of your additional ip addresses
    Remove any smtp rule from outside as well. The only way you want mail entering and leaving your organisation is via the UTM. This will stop spam and also guard from the inside being compromised with a spam bot etc

    Your Exchange server will also need a send connector configuring to send all mail to the UTM rather than directly out to the web

    As an additional safeguard, make sure your DNS is configured right on the Exchange server (point it to the UTM) and the firewall rules are in place for dns on the UTM so that only the dns servers you specify can be used.

    There is a really good guide on here called "rulz" by Bob & "UTM Tweaking guide v2" by Sascha in the general forum. There is also a few others about mail & DNS setups. Make sure to read those, it will be well worth it.

  • Thanks, Louis. I always keep this link handy: community.sophos.com/.../178769 Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply Children
  • Hi,

    Thanks for your answser.

    I configured my UTM as described in article "Basic Exchange setup with SMTP Proxy" :

    • Global : Simple mode 
    • Routing : mydomain.be in Domains; and Exchange CAS in Host list
    • Malware : Reject malware during SMTP transaction + single scan
    • Antispam : Confirmed spam + 3 Advance features (Reject invalid HELO + Use BATV + SPF check)
    • Data Protection : Scna within attachments and notify Administrator
    • Exceptions : nothing
    • Relaying : Upstream Hosts (the fixed IP of my router)  Is it correct ??
    • Relaying : Allowed Hosts/Networks (my internal servers network + the fixed IP of my router) Is it correct or do I also need the DMZ interface ??
    • Advanced : Use transparent mode + Allow SMTP traffic for liste host (Exchange CAS)

    Now, I can see the mails (IN and OUT) coming and going to... SMTP Spool.

    But, they remain stuck in SMTP Spool.

    Outgoing message (from my Exchange to Gmail) :

    Message Delivery Log:
    2016-05-27 17:28:43 gmail-smtp-in.l.google.com [74.125.136.27]:25 No route to host
    2016-05-27 17:28:46 alt1.gmail-smtp-in.l.google.com [74.125.68.27]:25 No route to host
    2016-05-27 17:28:49 alt2.gmail-smtp-in.l.google.com [74.125.204.27]:25 No route to host
    2016-05-27 17:28:52 alt3.gmail-smtp-in.l.google.com [173.194.72.27]:25 No route to host
    2016-05-27 17:28:55 alt4.gmail-smtp-in.l.google.com [74.125.25.26]:25 No route to host
    2016-05-27 17:28:55 myname@gmail.com R=dnslookup T=remote_smtp defer (113): No route to host

    Incoming mail (from Gmail) :

    Message Delivery Log:
    2016-05-27 17:24:24 myname@mydomain.be R=static_route_hostlist T=static_smtp defer (-53): retry time not reached for any host

    There is still something going wrong... but what ?

    But the good new : the true SPAM mails are blocked (I can see it in SMTP log).

     
  • Delete the info out of the upstream host. You only use that if you have another email server upstream ie isp email server, smart server etc

    Delete the info for the host base delaying. Add your exchange server into here.

    Transparent mode - untick this & tick Allow smtp from hosts/net

  • I applied these configurations.

    Still the same issue with incoming mails :

    Message Delivery Log:
    2016-05-27 20:36:30 myname@mydomain.be R=static_route_hostlist T=static_smtp defer (-53): retry time not reached for any host

    But there is no trace of the outgoing mails in the logs.  And, of course, they are never received. 

  • Problems solved !!!   (I had a stupid static route).   [:$]