Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 3 subscribers
  • Views 5493 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM 9 Email Protection - Not all mails scanned

BriannyD

Hi, 

 

We have Sophos UTM 9.4 full guard. I'm having an issue with the email protection, while the majority of mails are being filtered it seems some are not. 

We have an on-premise exchange server and simple SMTP proxy set up. I was testing the receive connectors on our exchange to only receive mails from the firewall IP but while mails some got through, others did not. There was no sign of them in the UTM logs and once I opened up the receive connectors on Exchange again they were delivered. 

There was still no sign of the mails that were delayed on the UTM logs. 

 

Any help greatly appreciated. 

 

Best regards,

 

 

Brian



This thread was automatically locked due to age.
Parents
  • 0

    Does your network Diagram look like this

    Please provide a generic diagram on how your exchange server is connected. Also if you have multiple mx records, do they all point to UTM?

  • 0 in reply to Billybob

    Hi,

    Thanks for the quick response.

     

    I couldn't see your network diagram but the mail flow is like this.

    Cloud Anti-Spam Filter-->>> UTM -->>> Hyper-V Server (Exchange 2013 on premise VM) -->> Clients (Outlook)

     

    The UTM is configured to recieve all the emails from the Anti-spam filter then re-route them to our exchange.

     

    I'm not too concerned about our outbound, they are have to pass through the UTM but they aren't being proxied through there at the moment.

    The only send connectors on Exchange route through the smart host (anti-spam cloud service).

     

    Regards,

     

    Brian

  • 0 in reply to BriannyD

    Yeah, my diagram was similar to yours. I edited my post and deleted the whole thing by mistake.

    So your mx points to the cloud Antispam filter, and then you are using smtp >Relaying tab to get all your mails from the cloud server? Or do you still use the smtp > routing tab?

    Sorry just trying to get my head wrapped around your configuration because your logs shouldn't disappear at all.

  • 0 in reply to Billybob

    Hi,

     

    The routing tab is still populated with the exchange etc.... And relaying is populated with the upstream email filter.

    All our mails are routed through the cloud filter first or at least should be. Is there a need for the routing tab to be populated so or just the relays?

     

    I think the problem was there were NAT rules for SMTP and with some of the upstream filters IPs to route to our Exchange.

    Am I right in saying the NAT takes precedence and this would result in the mails not going through the scanning process?

     

    For the outgoing mails, our Exchange send connectors go straight to the upstream filter. If I want these to be scanned by Sophos should I define the firewall as a send connector on exchange then use the smarthost configuration in Email Protection>SMTP>Advanced tab??

     

    Thanks again!

     

    Brian

  • 0 in reply to BriannyD

    Glad you are getting a handle on the situation. Yes the NAT/DNAT rules can be confusing when you are running SMTP/HTTP proxies and would indeed take precedence over builtin daemons. In your case, those missing mails would show up in firewall logs.  published this document a few years ago that will answer all your questions about the way UTM routes your traffic and the pitfalls to look out for https://community.sophos.com/products/unified-threat-management/f/general-discussion/22065/rulz 

    Everytime I have published an Exchange server, I always use UTM for inbound and outbound mails. Troubleshooting is much easier because you can go straight to UTM and look at ALL the logs. The way you have it configured, you have 3 points you will have to troubleshoot. Cloud, UTM, and your exchange server. UTM has pretty nice spam filtering built in so your cloud antispam solution is not necessary but I am sure you know your network more than what I am envisioning from outside.

    Good luck.

Reply
  • 0 in reply to BriannyD

    Glad you are getting a handle on the situation. Yes the NAT/DNAT rules can be confusing when you are running SMTP/HTTP proxies and would indeed take precedence over builtin daemons. In your case, those missing mails would show up in firewall logs.  published this document a few years ago that will answer all your questions about the way UTM routes your traffic and the pitfalls to look out for https://community.sophos.com/products/unified-threat-management/f/general-discussion/22065/rulz 

    Everytime I have published an Exchange server, I always use UTM for inbound and outbound mails. Troubleshooting is much easier because you can go straight to UTM and look at ALL the logs. The way you have it configured, you have 3 points you will have to troubleshoot. Cloud, UTM, and your exchange server. UTM has pretty nice spam filtering built in so your cloud antispam solution is not necessary but I am sure you know your network more than what I am envisioning from outside.

    Good luck.

Children
  • 0 in reply to Billybob

    Hi,

     

    Yeah I think the cloud might be overkill but it's a fairly cheap service per year and the bosses like the sound of extra layers of protection.

    Even if it's not actually making it more secure in reality.

     

    Thanks for all your help with this.

     

    Best Regards,

     

    Brian

Unfiltered HTML