Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 9 replies
  • Subscribers 3 subscribers
  • Views 16640 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to allow SMTP Submission (587) to bypass SMTP proxy?

ride

We are running an Exchange 2013 behind a UTM with Mail Protection (SMTP Proxy). The Exchange server is using the UTM as smart host for sending outgoing email as well. Most of the users are using Outlook from the outside (protected by WAF). On the Exchange server are some rules configures e.g. to add a company signature to every outgoing email.

Everything is working fine so far.

But we have some users connecting by IMAP (993) / SMTP (587) - e.g. with Thunderbird. If these users are sending emails to an external recipient, the email will relayed to the final mail server by the UTM immediately - without traveling trough the Exchange Server. But this will skip the rules processing!

My idea was to DNAT the SMTP submission traffic on port 587 directly to the Exchange server and leave the "normal" SMTP MTA traffic to be handled by the Mail Protection proxy.

But this does not work unfortunately. If I enable the DNAT rule no SMTP submission from the outside is possible.

Any idea?



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to BAlfson

    I have authenticated relay allowed. Otherwise it's the same. And the basic operation is working fine.

    The problem starts with external SMTP client submissions not going through the Exchange server. 

  • 0 in reply to ride

    You confirm then that you aren't running SMTP in transparent mode?  I do not recommend allowing clients to relay directly off the SMTP Proxy - no authenticated relay when you have Exchange that you can auth to.

    There are several ways to enable external clients to reach the Exchange server:

    • Using an Additional Address, call it "Exchange"

    DNAT : Internet -> SMTP -> External [Exchange] (Address) : to {Exchange Server}

    • Configuring an alternate port for SMTP in the external clients, call it "SMTP Alt"

    DNAT : Internet -> SMTP Alt -> External (Address) : SMTP to {Exchange Server}

    • Using a method other than SMTP to connect and DNAT'ing that service to Exchange or, my preference, using Webserver Protection and HTTPS.

    Cheers - Bob

    2016-11-15 18:34 UTC: corrected "SMTP" to "SMTP Alt" in second DNAT.

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Ok - i will give it a try. Do you propose to DNAT just 587 or 587 & 25? I don't want to DNAT port 25 to avoid spam to reach the Exchange server directly. And why it's not possible to DNAT 587 without a different port or IP?
  • 0 in reply to ride

    "And why it's not possible to DNAT 587 without a different port or IP?" - You can DNAT 587 directly or any other port that you're not using otherwise as long as the client and Exchange can both use that port.

    You definitely don't want to DNAT 25 - see #2 in Rulz.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Ok - it's working now. Thanks for your suggestions.

    DNAT 587 is working fine. The problem was related to a misconfiguration of the Exchange server which prevents a direct 587 connection but has been working fine behind the UTM.

     

    Cheers,

    Rudi

Unfiltered HTML