Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 2 subscribers
  • Views 7199 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to configure SMTP full transperent mode SG105 in bridged mode

SophieBerger

Hi,

I'm using a Sophos UTM 9 in Bridge Mode and try to activate the full transparent mode for SMTP.
The target is to scan all incoming SMTP traffic on Port 25 for SPAM and to filter it before it gets into the network.
Unfortunately I fail with this :-/ Maybe somebody has an idea what I did wrong.

As mentioned the Sophos SG105 is running in bridged mode. Everything else like Firewall, IPS and so on is working as I'd expect it.

I activated the SMTP Proxy mode in simnple mode, added my e-mail domains that I expect to get into my network and the Exchange server that is there.
The Exchange server is added as static host in the host list.
In the last tab I activated the transparent mode, since its description seems to be what I want the Sophos to do. It listens and scans all traffic on Port 25.
Everything else I left as default.

When I receive mail now, it is rejected and I don't seem to be able to figure out why that is.

Somewhere in the manual I found that it is important to make sure the DNS is working correctly on Sophos but that works flawless as far as I can tell

Maybe somebody can shed some light on this since I'm rather clueless.
I activated the debug mode for SMTP and this is what I get for all incoming mail.

13810 Connection request from 13.67.59.89 port 5432
13810 LOG: smtp_connection MAIN
13810 SMTP connection from [13.67.59.89]:5432 (TCP/IP connection count = 1)
13810 search_tidyup called
13810 1 SMTP accept process running
13810 Listening...
30491 sender_fullhost = [13.67.59.89]:5432
30491 sender_rcvhost = [13.67.59.89] (port=5432)
30491 Process 30491 is handling incoming connection from [13.67.59.89]:5432
30491 host in host_lookup? yes (matched "*")
30491 looking up host name for 13.67.59.89
30491 DNS lookup of 89.59.67.13.in-addr.arpa (PTR) gave HOST_NOT_FOUND
30491 returning DNS_NOMATCH
30491 IP address lookup using gethostbyaddr()
30491 IP address lookup failed: h_errno=1
30491 LOG: host_lookup_failed MAIN
30491 no host name found for IP address 13.67.59.89
30491 sender_fullhost = [13.67.59.89]:5432
30491 sender_rcvhost = [13.67.59.89] (port=5432)
30491 set_process_info: 30491 handling incoming connection from [13.67.59.89]:5432
30491 host in host_reject_connection? no (option unset)
30491 host in sender_unqualified_hosts? no (option unset)
30491 host in recipient_unqualified_hosts? no (option unset)
30491 host in helo_verify_hosts? no (option unset)
30491 host in helo_try_verify_hosts? no (option unset)
30491 host in helo_accept_junk_hosts? no (option unset)
30491 using ACL "acl_check_connect"
30491 processing "drop"
30491 check condition = 0
30491 drop: condition test failed in ACL "acl_check_connect"
30491 processing "accept"
30491 accept: condition test succeeded in ACL "acl_check_connect"
30491 SMTP>> 220 [myMXdomain] ESMTP ready.
30491 Process 30491 is ready for new message
30491 smtp_setup_msg entered
30491 SMTP>> 421 [myMXdomain] lost input connection
30491 LOG: smtp_connection MAIN
30491 SMTP connection from [13.67.59.89]:5432 lost (error: Connection reset by peer)
30491 search_tidyup called
13810 child 30491 ended: status=0x100
13810 normal exit, 1
13810 0 SMTP accept processes now running
13810 Listening...

Thanks
Sophie



This thread was automatically locked due to age.
Parents
  • 0

    Hi, Sophie, and welcome to the UTM Community!

    I may be wrong, but I think Transparent is for mail being sent by clients, not for receiving mail.  I've not seen a situation where transparent should be used for anything but diagnostics.  In any case, you should change your edge router to NAT incoming SMTP traffic to the IP of the bridge instead of to your mail server.  Any luck with that?

    Also, you might want to consult Basic Exchange setup with SMTP Proxy.

    If you still have a problem, please post lines from the UTM's SMTP log that correspond to one rejected email.  In general, you will want to post complete log lines with proprietary information obfuscated - user@ourdomain.com, 13.x.y.89 and 172.16.y.23, for example.

    Cheers - Bob

    PS Unless someone asks for a log with debug, make your log presentations without it activated.

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0

    Hi, Sophie, and welcome to the UTM Community!

    I may be wrong, but I think Transparent is for mail being sent by clients, not for receiving mail.  I've not seen a situation where transparent should be used for anything but diagnostics.  In any case, you should change your edge router to NAT incoming SMTP traffic to the IP of the bridge instead of to your mail server.  Any luck with that?

    Also, you might want to consult Basic Exchange setup with SMTP Proxy.

    If you still have a problem, please post lines from the UTM's SMTP log that correspond to one rejected email.  In general, you will want to post complete log lines with proprietary information obfuscated - user@ourdomain.com, 13.x.y.89 and 172.16.y.23, for example.

    Cheers - Bob

    PS Unless someone asks for a log with debug, make your log presentations without it activated.

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • 0 in reply to BAlfson

    Hello BAlfsons,

    thanks for your reply!
    I followed your advice and disabled transparent mode, changed the router config to forward incoming traffic to the IP of the sophos bridge (not the internal network adress of the SG105).

    Unfortunately all incoming packets to TCP 25 are standard-dropped although I added an allow rule for that port from all IPv4 adresses to the sophos bridge adress.

    I have no idea what the issue could be that causes this behaviour. Why is the packet dropped, although it is specifically allowed? I double checked the adress, log, and so on but I'm out of ideas what could be wrong.

    Well, maybe you have another idea what to check.

    Thanks!

  • 0 in reply to SophieBerger

    Please show a line where a TCP 25 packet was dropped.  Alone among the logs, the Firewall Live Log presents abbreviated information in a format easier to read quickly.  Usually, you can't troubleshoot without looking at the corresponding line from the full Firewall log file.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML