This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

problem with Exchange 2016 in utm

Hello,

Have installed an Exchange 2016 server yesterday, installation goes very good.

I follow "Basic Exchange setup with SMTP Proxy" 

  • Global : Simple mode 
  • Routing : Domains; Have my domain here  and Exchange Server in Host list
  • Malware : Reject malware during SMTP transaction + single scan
  • Antispam : Confirmed spam + 3 Advance features (Reject invalid HELO + Use BATV + SPF check)
  • Data Protection : Scna within attachments and notify Administrator
  • Exceptions : nothing
  • Relaying : nothing here
  • Relaying : Allowed Hosts/Networks (my Exchange internal servers network + the fixed IP of my Sophos UTM router)
  • Advanced : Use transparent mode + Allow SMTP traffic for liste host (Exchange CAS)

 

Now, I cant see the mails (IN and OUT) not sure what wrong

have done two firewall rule in and out and one dnat rule in nat section in network protection

Something is wrong checking in Exchange 2016 too there is Everything right.



This thread was automatically locked due to age.
Parents
  • Just a wild guess: Does the Exchange server uses SSL/TLS? In that case the UTM can not scan the Mails unless the appropriate action is configured.

  • Hey,

    Should uncheck that in receive connectors ?

     

  • Hi, Bengt, and welcome to the UTM Community!

    "Advanced : Use transparent mode + Allow SMTP traffic for liste host (Exchange CAS)"

    Please do not use Transparent mode.  It's likely not causing any part of this problem, but enabling Transparent mode does allow the proxy to send emails from infected PCs.  You will also want to be sure that you are not otherwise allowing outbound SMTP - the SMTP Proxy has its own firewall rules.

    "have done two firewall rule in and out and one dnat rule in nat section in network protection"

    You shouldn't need any firewall rules for SMTP.  See #2 in Rulz to understand why you need to delete the DNAT to solve your problem.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hey Bob!

    I have not checked to use Transparent mode have cross in "Allow SMTP traffic för listed host/nets" is ochecked now.

    And you write :

    "have done two firewall rule in and out and one dnat rule in nat section in network protection"

    How i do they rules in Network Protection

    Can you write more how do that in Sophos UTM!!

    For have today in Network Protection in Firewall four rules two for Exchange but not enable yet they Another is to an Linux mailserver "Axigen" they working in and out.

    If do they rules you write can delete my have today then.

     

    Kind Regards

     

    Bengt

  • Please insert pictures of the section of the 'Firewall' tab with the rules you added and of the rules on the 'NAT' tab.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Here coming Picture om "FIREWALL" :

    "NAT" rules:

    I Think something is wrong not sure what I can do for working

  • Hey Bob,

    I found these link https://community.sophos.com/products/unified-threat-management/f/mail-protection-smtp-pop3-antispam-and-antivirus/49038/setup-mail-security-inbound-outbound-scanning and Think do Little after him:

    Mail Security --> Routing
     * Domains (my olssondata.se) - added
     * Route by: Static Host List
     * Host List (Exchange 2016 Server)
     * With Callout

    Mail Security --> Relaying
     * Allow Authenticated Relaying - non CHECKED
     * Allowed users/groups (email security group - custom created) non CHECKED
     * Allowed hosts/networks (Internal (network))
     * Scan relaying (outgoing) messages - CHECKED

    DNAT/SNAT - NETWORK SECURITY

    Inbound Mail DNAT
    Any --> Email Messaging (IMAP,POP3,SMTP + all SSL versions) --> External --> Exchange 2016 Server 

    Outbound Mail SNAT 
    Exhange 2016 Server --> SMTP --> Any -->External WAN .216

     

    And setting in Firewall off all my rules have to my two mailservers do they rules i NAT !!

    Is that more rigth to do.

     

  • First, I'll respond to the pictures.

    • Firewall rule #23 is redundant because you have selected 'Automatic Firewall rule' in NAT rules 1, 2 & 3 - I would delete that rule to reduce the clutter in your configuration.
    • See #5 in Rulz.
    • I would delete NAT rules 1,  2 & 3 and make a single rule.  The SMTP Proxy will handle "SMTP" and "SMTP SSL."
      • Create a Services Group named "Olsson Data Email" containing ONLY the "IMAP" and "POP3" services
      • DNAT : Internet -> Olsson Data Email -> External (Address) : to Mailserver olssondata.se 2 : Auto Firewall rule
    • The DNATs for "SMTP "and "SMTP SSL" are what cause traffic to bypass the SMTP Proxy.  As I said in a post above, please see #2 in Rulz.

    In your most-recent post, I would make the following changes

    Mail Security --> Relaying
     * Allow Authenticated Relaying - non CHECKED
     * Allowed users/groups (email security group - custom created) non CHECKED
     * Allowed hosts/networks (Mailserver olssondata.se 2)
     * Scan relaying (outgoing) messages - CHECKED

    Delete the DNAT as I explained previously.  Delete the SNAT because your 'Internal (Network) -> External' Masquerading rule makes it redundant.  You only need an SNAT if you want your SMTP traffic to leave with an IP other than that of "External (Address)."

    I have no doubt that you are smart and creative enough to get your UTM doing what you need, but you are learning as you go, so I would humbly suggest that, when you've gotten it configured, you spend time cleaning up the configuration while you still remember what's needed and what isn't.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hello, I have decide to install Sophos XP and do right from beginning, read some Sophos Knowledge base for get Exchange 2016 to working out and in.

    Will setting Solution fixed here

Reply Children