Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 3 subscribers
  • Views 7987 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

sophos smtp protection

IlyaYakov

hi :)

i am trying configure sophos smtp protection 

i have mail server behind sophos utm,otgoing and incoming mail are configured throw nat redirection

i want to disable spamassain and amavis on my  mail server and configure scanning all incoming and out going mail with sophos

also use sophos as decryptor for tls connection and scan all secured data before sending it to internal mail relay

my configurations:

public mx: mail.falcone.co.il /ip 213.151.40.39

sophos dns : fw.falcone.co.il /ip 213.151.40.39

sophos lan lag: 10.10.0.1

internal dns name of mail server : mail.falcone.co.il

internal mail server ip : 10.10.0.100

internal sophos lag:10.10.0.1

using all ports,secured and not secured

using startcom ssl CA

Ilya



This thread was automatically locked due to age.
Parents
  • 0

    Hi Ilya,

    Please explain what you have already configured. Did you already configure anything and if so, please post screenshots so it's easier for others to kick in at the point where you're stuck.

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • 0 in reply to apijnappels

    my scenario:

    linux mail server with virtulal users/domains

    before i enabled smtp proxy in sophos i used nat rules from wan to lan all email ports i need,the problem smapassain and clamav on mail server..

    so i enabled smtp protection:

    simple mode

    routing settings:

    domains: my.com

    host list: lan ip of my mail server

    verify recipients: with call out

    relaying settings:

    checked authenticated users

    create a local user in sophos for relaying

    allow hosts: mail server lan ip 

    advanced settings:

    not use transparent

    create ca in stratcom ssl and configured it for tls

    on my mail server i configure relay to sophos smtp (for authincation i use local sophos user that i created)

    testing:)

    when i send mail from gmail to xxx@my.com>working good,sophos check the recipient in internal mail,scanning the mail and deliver it to internal mail to the recipient

    when i sending mail from my webmail(my webmail on the mail server,same server!!!),work good ,it use sophos relay,all scans working

    BUT i can not use anymore mail clients like outlook on port 25 or 587 ,when i configure smtp in otlook,it dont authenticate mail server,it try authenticate sohhos smtp...

    in sophos i can use Ad,LDAP as authintication services...in my case i have virtual users in mysql(as data base for my mail server)

    when enabling sophos mail protection its automaticly listhen to  smtp ports 25 587...so all incoming smtp ports go right to the smtp proxy..

    so i configure secured connection with 465 (dnat to my mail server) for authinticated connection from mail clients such outlook o mail progs in cellphones

Reply
  • 0 in reply to apijnappels

    my scenario:

    linux mail server with virtulal users/domains

    before i enabled smtp proxy in sophos i used nat rules from wan to lan all email ports i need,the problem smapassain and clamav on mail server..

    so i enabled smtp protection:

    simple mode

    routing settings:

    domains: my.com

    host list: lan ip of my mail server

    verify recipients: with call out

    relaying settings:

    checked authenticated users

    create a local user in sophos for relaying

    allow hosts: mail server lan ip 

    advanced settings:

    not use transparent

    create ca in stratcom ssl and configured it for tls

    on my mail server i configure relay to sophos smtp (for authincation i use local sophos user that i created)

    testing:)

    when i send mail from gmail to xxx@my.com>working good,sophos check the recipient in internal mail,scanning the mail and deliver it to internal mail to the recipient

    when i sending mail from my webmail(my webmail on the mail server,same server!!!),work good ,it use sophos relay,all scans working

    BUT i can not use anymore mail clients like outlook on port 25 or 587 ,when i configure smtp in otlook,it dont authenticate mail server,it try authenticate sohhos smtp...

    in sophos i can use Ad,LDAP as authintication services...in my case i have virtual users in mysql(as data base for my mail server)

    when enabling sophos mail protection its automaticly listhen to  smtp ports 25 587...so all incoming smtp ports go right to the smtp proxy..

    so i configure secured connection with 465 (dnat to my mail server) for authinticated connection from mail clients such outlook o mail progs in cellphones

Children
  • 0 in reply to IlyaYakov

    So when I understand correctly the main problem at this moment is your clients cannot use port 25 or 587 because they get "caught" by SMTP proxy from UTM?

    If this is the problem, than this will most likely happen when connecting from outside your UTM, and this will indeed be blocked (relaying is blocked). You did however configure a local user on UTM that should be able to relay, so you should normally be able to configure your outgoing mail to authenticate using these credentials.

    Perhaps you can look in SMTP log where you should be able to find more information on SMTP connections (both allowed and blocked). If this doesn't help you, then please add such a connection attempt from the log to this thread (you can of course mask server/ip addresses if you like).

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • 0 in reply to apijnappels

    yes ,it is the my main problem

    if i configure the localuser and pass from sophos in outlook(outgoing mail server user and pass)-its work,but...

    the problem- that i cant create for each user that have email adress in my mail server another username and pass(in sophos utm)  for outlook configuration:)

    if i had microsoft exchange-its very simple...i can turn on authentication service with AD in sophos.....

    maybe in the fiture develop team of sophos wil make the option -authentication service to mysql databases:)

    **what about no free sophos firewall?they have a solution?

  • 0 in reply to IlyaYakov

    Although you don't have Exchange, the same setup as in Basic Exchange setup with SMTP Proxy applies, and it appears that you have done that.  It sounds like you're trying to have your external client use the same IP as the FQDN listed in your MX record.  To have external clients reach your mail server, you will need a DNAT that uses either an Additional Address or an alternate port if you have only a single public IP.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML