This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Outgoing mail (SMTP) blocked by UTM

Hi all,

 

I just restarted using Sophos UTM again. Version 9.408-4

Since then some applications will not run. Where secure services are used with the exception of HTTPs the they run ok. I guess that will be because then traffic is handled by Webprotection.

Sticking with one off these applications being Outlook 2016 Office 365 locally installed.

It doesn't matter using the unsecure or unsecure port of pop3 or smtp.

Incoming traffic works fine, outgoing > no way.

Receiving the following message in live log SMTP proxy:

2016:11:30-21:23:07 sophos-utm exim-out[12998]: 2016-11-30 21:23:07 1cBnUa-0001im-GB mail.x.nl [194.60.207.168]:25 Connection timed out
2016:11:30-21:23:07 sophos-utm exim-out[12997]: 2016-11-30 21:23:07 1cBnUa-0001im-GB == info@x.nl R=dnslookup T=remote_smtp defer (110): Connection timed out
 
I have two mailboxes. I only see these logs from one mailbox.
 
From Support/Tools Ping to the DNS server is OK and DNSlookup is also OK.
 
Live Log IPS:
2016:11:30-20:08:34 sophos-utm snort[5115]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="INDICATOR-COMPROMISE Suspicious .tk dns query" group="241" srcip="MYPC" dstip="DNS-server" proto="17" srcport="51833" dstport="53" sid="39867" class="Misc activity" priority="3" generator="1" msgid="0"
 
I don't think IPS is the problem. Nevertheless I 've made an exception for IPS checking on service 25 just to see what happens. No solution.
 
Anyone has ideas to solve this?
 
Thanx Jaap


This thread was automatically locked due to age.
Parents
  • Hi Jaap,

    Just disable the SMTP Proxy as it is not meant to work in this way.  You just need a firewall rule like:

    Internal (Network) -> Email Messaging -> Internet : Allow

    Are things working now?  If not, try #1 in Rulz.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    I 've disabled not only SMTP proxy, but by now only running are Firewall with any>any-any rule, wenfiltering, antivirus for HTTP/S an antispyware.

    And still I 'm not able to send or even receive mail now.

    What is weird that with Wireshark on my PC traffic towards the external mail servers was not trapped, nor were the tcp-ports configured/used by Outlook.

    As soon as I reverted back to my old Cisco ASA 5505, everything worked fine again. Wireshark showed servers and tcp-ports.

    I know a totally different device, but nevertheless.

     

    I 've got Bitdefender Total Security 2016 running. Could that be something?

     

    Thanx Jaap

     

  • Did you configure a masquerading rule?


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • "What is weird that with Wireshark on my PC traffic towards the external mail servers was not trapped, nor were the tcp-ports configured/used by Outlook."

    You're saying that the traffic doesn't even reach the UTM's LAN interface?  If you put the same IP on that interface as on the corresponding one on the ASA, then, after you reconnect the UTM, you will want to reboot any switches in your LAN to force them to clear their ARP tables.

    Was that all it was?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    It would have been great. But no.

    Off course there is some delay in Internet access for a few minutes if you don't flush ARP.

    Here 's what I did:

     

    After switch from ASA to UTM:
    - PC arp -d IP of ASA
    - Flush on switch of ARP table. Also did a reboot.
    Checked via ARP -a ip-address and mac-address. On UTM > Interfaces > hardware > Yes mac on IP is UTM.
    Bitdefender all modules put off.
    Wireshark: Query DNS for mail servers is performed and answered by/through UTM to PC with correct ip-address. Check with nslookup
     
    Test on Outlook PC via myname@outlook.com is succesfull. Mail arrives in inbox at provider (webmail)
    Use other accounts result stuck.
     
    Errors in Oulook
    0x80042108
    0x80042109
     
    Live log SMTP proxy (OFF): x@x.x.x R=dnslookup T=remote_smtp defer (-53): retry time not reached for any host
    Still only few options UTM active. No mail stuff or anti-spam.

    Ended Outlook.

    Connected ASA

    Bitdefender ON all options

    DNS on PC. After Internet was available.

    Started Outlook. All messages in Outlook and waiting there outside - sent and received.

    Thanx Jaap

  • It's difficult to tell where your configuration error is.

    I'm still not clear on whether the traffic from your PC was reaching the LAN interface of the UTM.  Rather than Wireshark on the PC, try tcpdump on the UTM.  Assuming your PC is at 172.16.1.101 and your LAN is on eth0:

    tcpdump -n -i eth0 src 172.16.1.101

    Do you see traffic going to the UTM?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

     

    Here is the result of Tcpdump on the UTM:

    19:55:29.760500 IP 'MyIP'.60096 > 'UtmIP'.53: 20+ A? smtp.ziggo.nl. (31)
    19:55:29.761049 IP 'MyIP'.58747 > 'UtmIP'.22: Flags [.], ack 8545, win 2085, length 0
    19:55:29.783202 IP 'MyIP'.58894 > 212.54.42.9.587: Flags [S], seq 3875461336, win 8192, options [mss 1260,nop,wscale 8,nop,nop,sackOK], length 0

    19:55:32.784551 IP 'MyIP'.58894 > 212.54.42.9.587: Flags [S], seq 3875461336, win 8192, options [mss 1260,nop,wscale 8,nop,nop,sackOK], length 0
     
    19:55:37.584707 ARP, Request who-has 'UtmIP' (90:e6:ba:51:10:82) tell 'MyIP', length 46
     
    Greetz Jaap
  • Hi,

    I have no NAT-rules in place

    Greetz Jaap

Reply Children
No Data