This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

MTA sophos UTM 9 ???

Hi,

Can i set up feature Email Protect of UTM 9 as MTA (mail tranfer agent) ?

I just set up zimbra mail server, i see feature Email Protect on my sophos UTM 9, can i use Email Protect feature for my server zimbra and HOW?

I try follow this topic ( https://community.sophos.com/products/unified-threat-management/f/mail-protection-smtp-pop3-antispam-and-antivirus/48998/how-to-setup ) but not success

Please help me!

Thank You.



This thread was automatically locked due to age.
Parents
  • Hey, Tam.

    I wouldn't call it MTA, but you can set UTM to filter incoming and outgoing mail for spam and malware. It would roughly be something like:

    Incoming: Internet SMTP -> UTM -> Zimbra - Client IMAP/POP/ZCO

    Outgoing: Clinet SMTP -> Zimbra -> UTM -> Internet SMTP

    So, in a nutshell, you MX record would point to your UTM's external interface. You would configure UTM to accept messages that are addressed to your domain and relay them to your Zimbra server. That way messages would be accepted and filtered by UTM and then delivered to Zimbra. From there is pretty much business as usual, with your Zimbra server accepting and storing the filtered messages and allowing clients to connect and retrieve messages through IMAP/POP/ZCO.

    For the other way around you will need to configure Zimbra to use UTM as a smart host. That way UTM would filter outgoing messages for spam and malware as well, delivering them to the remote servers afterwards.

    The article you provided cover all the basics necessary to get things going. But the UTM is not an MTA, so it will not allow clients to connect to it for sending and receiving messages. For that you do need to find a way for:

    a) Clients inside you network to connect to the Zimbra server for sending and receiving messages

    b) Clients outside your network to connect to the Zimbra server for sending and receiving messages

    My approach is usually to have a single hostname for MX, IMAP/S, POP/S, and SMTP/S and point it to a valid external IP on which the UTM would listen on. That would allow for a simpler configuration of the clients. I then use something called "Split DNS" to accomplish "a". For "b", a DNAT rule forwarding Submission, POP3S and IMAPS from the external interface to your internal Zimbra server would suffice. For example, assuming you would use something like "mail.domain.com" as the hostname:

    For external users, mail.domain.com would resolve to a routable IP address on your WAN. That would be the IP of one of the UTM's external interfaces. SMTP messages sent on port 25 would be accepted, filtered and delivered to Zimbra. For allowing clients outside your network to send and receive messages, you could create a DNAT rule forwarding packets received on this external IP on ports 587 (mail Submission over TLS), 993 (IMAPS) and 995 (POP3S) to your Zimbra server internal IP. 

    For internal users, you could create a zone on your internal DNS pointing mail.domain.com to your Zimbra server internal IP. That's split DNS: on the outside, mail.zimbra.com resolves to your external IP (UTM in this case) while on the inside it resolves to your Zimbra server. That way no matter if the users are inside or outside your network, the mail client would just work.

    Hope it helps.

    Regards,

    Giovani

Reply
  • Hey, Tam.

    I wouldn't call it MTA, but you can set UTM to filter incoming and outgoing mail for spam and malware. It would roughly be something like:

    Incoming: Internet SMTP -> UTM -> Zimbra - Client IMAP/POP/ZCO

    Outgoing: Clinet SMTP -> Zimbra -> UTM -> Internet SMTP

    So, in a nutshell, you MX record would point to your UTM's external interface. You would configure UTM to accept messages that are addressed to your domain and relay them to your Zimbra server. That way messages would be accepted and filtered by UTM and then delivered to Zimbra. From there is pretty much business as usual, with your Zimbra server accepting and storing the filtered messages and allowing clients to connect and retrieve messages through IMAP/POP/ZCO.

    For the other way around you will need to configure Zimbra to use UTM as a smart host. That way UTM would filter outgoing messages for spam and malware as well, delivering them to the remote servers afterwards.

    The article you provided cover all the basics necessary to get things going. But the UTM is not an MTA, so it will not allow clients to connect to it for sending and receiving messages. For that you do need to find a way for:

    a) Clients inside you network to connect to the Zimbra server for sending and receiving messages

    b) Clients outside your network to connect to the Zimbra server for sending and receiving messages

    My approach is usually to have a single hostname for MX, IMAP/S, POP/S, and SMTP/S and point it to a valid external IP on which the UTM would listen on. That would allow for a simpler configuration of the clients. I then use something called "Split DNS" to accomplish "a". For "b", a DNAT rule forwarding Submission, POP3S and IMAPS from the external interface to your internal Zimbra server would suffice. For example, assuming you would use something like "mail.domain.com" as the hostname:

    For external users, mail.domain.com would resolve to a routable IP address on your WAN. That would be the IP of one of the UTM's external interfaces. SMTP messages sent on port 25 would be accepted, filtered and delivered to Zimbra. For allowing clients outside your network to send and receive messages, you could create a DNAT rule forwarding packets received on this external IP on ports 587 (mail Submission over TLS), 993 (IMAPS) and 995 (POP3S) to your Zimbra server internal IP. 

    For internal users, you could create a zone on your internal DNS pointing mail.domain.com to your Zimbra server internal IP. That's split DNS: on the outside, mail.zimbra.com resolves to your external IP (UTM in this case) while on the inside it resolves to your Zimbra server. That way no matter if the users are inside or outside your network, the mail client would just work.

    Hope it helps.

    Regards,

    Giovani

Children