Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 16 replies
  • Answers 4 answers
  • Subscribers 4 subscribers
  • Views 56646 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Outgoing mail (SMTP) blocked by UTM

jaapl

Hi all,

 

I just restarted using Sophos UTM again. Version 9.408-4

Since then some applications will not run. Where secure services are used with the exception of HTTPs the they run ok. I guess that will be because then traffic is handled by Webprotection.

Sticking with one off these applications being Outlook 2016 Office 365 locally installed.

It doesn't matter using the unsecure or unsecure port of pop3 or smtp.

Incoming traffic works fine, outgoing > no way.

Receiving the following message in live log SMTP proxy:

2016:11:30-21:23:07 sophos-utm exim-out[12998]: 2016-11-30 21:23:07 1cBnUa-0001im-GB mail.x.nl [194.60.207.168]:25 Connection timed out
2016:11:30-21:23:07 sophos-utm exim-out[12997]: 2016-11-30 21:23:07 1cBnUa-0001im-GB == info@x.nl R=dnslookup T=remote_smtp defer (110): Connection timed out
 
I have two mailboxes. I only see these logs from one mailbox.
 
From Support/Tools Ping to the DNS server is OK and DNSlookup is also OK.
 
Live Log IPS:
2016:11:30-20:08:34 sophos-utm snort[5115]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="INDICATOR-COMPROMISE Suspicious .tk dns query" group="241" srcip="MYPC" dstip="DNS-server" proto="17" srcport="51833" dstport="53" sid="39867" class="Misc activity" priority="3" generator="1" msgid="0"
 
I don't think IPS is the problem. Nevertheless I 've made an exception for IPS checking on service 25 just to see what happens. No solution.
 
Anyone has ideas to solve this?
 
Thanx Jaap


This thread was automatically locked due to age.
  • 0 in reply to jaapl

    Hi all,

    Finally performed a tcpdump on the outside interface of the UTM.

    See traffic over used ports for email: 110, 587 (provider specific), 993, 25 exiting the outside NIC.

    Logging firewall: traffic allowed. DNS also, no problem.

    Not seeing traffic in Wireshark is a problem within Wireshark itself. Has to to with more avaiable (virtual) NICs. Stop these and Wireshark will work properly.

    My conclusion is that something happens with the packets because my provider, Ziggo, blocks them.

    Greetz Jaap

  • 0 in reply to jaapl

    Hi Jaap,

    Ziggo does indeed block outgoing mail other than going to their own mailserver (smtp.ziggo.nl). Outgoing mail to smtp.ziggo.nl should normally work. Also incoming mail (pop3, imap) should work. I use Ziggo myself at my home (consumer Ziggo connection).

    If you really need outgoing port 25 (so your UTM sends out mails not using smtp.ziggo.nl as a smart host), then you need to upgrade to a business Ziggo account.

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • 0 in reply to apijnappels

    Hallo mijnheer Pijnappels,

    Thanx for your reply.

    I partially agree on using port 25 for outgoing mail (smtp). It does work with smtp.ziggo.nl. Not with smtp.casema.nl there it is apparently blocked.

    To avoid discussions with Ziggo my outgoing port is now 587.

     

    But the problem remains the same:

    With the same e-mail properties: username/password, in- and outgoing mailservers and ports

    mail works with pc locally connected to a Cisco ASA 5505 Firewall, modem - Internet

    mail doesn't work with pc locally connected to a Sophos UTM, modem - Internet

    and this is incoming and outgoing mail

    On the outside interface I can see traffic pushed to the modem etc.

    Pffff

    Change it back to the Cisco ASA. Everything works fine again.

     

    Greetz Jaap

  • 0 in reply to jaapl

    Jaap, does setting smtp.ziggo.ml as a smart host work?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • +1 in reply to apijnappels

    Hi mister Pijnappels,

    I should have given your question more thought.

    After configuring source-NAT (SNAT) with every internal networks IP-address translated to the external (public) IP-address of the UTM ..

    it works!

    Thanx Jaap

  • 0 in reply to jaapl

    Had similar problem.  Outlook incoming through UTM was fine, but outgoing was blocked.  
    Found that default service definitions for SMTP in UTM used ports 25 and 465, but my 
    Outlook account required port 587 for outgoing (SMTP)

    Resolved this by creating a new Firewall rule.  A new Service Definition was created in
    the process, as follows:

    1. WebAdmin > Network Protection > Firewall > New Rule
      1. Sources:  Internal (Network)
      2. Services:  click green + to add new Service Definition
        1. Add Service Definition
        2. Name: SMTP_Port 587
        3. Type of Definition:  TCP
        4. Destination Port:  587
        5. Source Port:  1:65535
        6. Save
      3. Destinations:  Internet IPv4
      4. Save

    Then enable this new firewall rule.

    Hope this helps.

Unfiltered HTML