This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Confused

I am trying to allow the CEO to access his personal email from outside the network. It is being blocked at the sophos UTP.

He has an imap service with a hosted provider.


We have simple smtp enabled.   

and   being forwarded to our exchange server which works great. We have mail spam and quarantine which works perfectly.

  

I have added the domain to the upstream host 

 

  I have added an Snat entry that enables the ceo's pc (in reality all the pcs ) to send and recieve to this domain. 

 

  I am not sure what i have setup wrong. I just need 3 pc's to be able to access this domain on port 143 and 587. What do i have configured wrong ?

 

Pulling my hair out here

 



This thread was automatically locked due to age.
  • hi, your post is slightly confusing.

    From what I'm reading, you have:

    1. Internal - an exchange server. I'd imagine that all internal client connect and use this?

    2. your exchange server forwards to the UTM for outgoing mail and the UTM recieves mail and fowards to exchange for email protection etc

    3. Your CEO had another email account (in addition to the exchange account) that uses IMAP/SMTP to access email eg gmail or something similar

    4. You are trying to allow this account through the UTM?

  • If Louis-M is correct in his assumptions, I don't think you need the SNAT rules - a simple firewall rule allowing access from your CEO's PC to the required mailserver using the "Email Messaging" protocol definition should suffice.

     

     

  • 1) You dont have to put CEO personal email in Upstream hosts/networks

    2) Since the Email Protection is in transparent mode: UTM is the property of Email Protection and you cant do nothing with Firewall or SNAT Rules.
    You have to Exclude the CEO ip Under: Advanced>Skip Transparent Mode Hosts/Nets. Then you can play with Firewall Rules

  • Shaun Raven said:

    If Louis-M is correct in his assumptions, I don't think you need the SNAT rules - a simple firewall rule allowing access from your CEO's PC to the required mailserver using the "Email Messaging" protocol definition should suffice.

     

    Shaun's advice looks correct to me:

    • Get rid of the SNAT rules (I bet they are the culprit of things not working now).
    • Your firewall rule 9 is useless since in rule 8 you simply allow any (rule 9 will never be triggered this way), however I would disable rule 8 (with any) and use rule 9 instead. Make sure all required protocols are in the rule (IMAP, SMTP, 

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • Are you saying that he wants his personal email added to his Microsoft Outlook profile?   This has nothing to do with Email Protection.  Remove everything that you have added

    When you add the account, use the option for "Internet email", then type IMAP.

    IMAP connection has two parts, IMAP is used for retrieval, SMTP is used for sending.   You need to get correct server names from the hosting service for both protocols.   You should insist on configuring with TLS security.  Secure IMAP uses port 993, and secure SMTP uses 465 or 587.

    As long as you have the correct server names and ports, and the ports are not blocked at the firewall, you should be able to connect.

    Note, however, that CEOs are the crime world's preferred victim, and UTM is unable to do any filtering of IMAP traffic.  In my experience, the spam filtering of most hosting services leaves much to be desired.  Make an assessment of what happens if he deploys ransomware from his personal email account.   Also ensure that your web filtering is optimized, as a partial defense against hostile email getting through this opening.

  • DouglasFoster said:

    As long as you have the correct server names and ports, and the ports are not blocked at the firewall, you should be able to connect.

    This works if Email Protection is in transparent mode?  If not don't mislead or take the confusion in higher level.

  • This has nothing to do with email protevtion, which operates on port 25 to protect traffic between mail servers.   Connecting Outlook to a mail server is different and usrs different ports.

    If the Outlook connection was Pop, then transparent pop would be an option for some protection, but imap is strictly a firewall issue.

  • 80% of the servers are using port 25. If you are correct, one rule "from ceo-ip to any ising service  any, allow" will work

  • Hi, Russell, and welcome to the UTM Community!

    We can't help you until you respond to the comments already made.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA