MTA sophos UTM 9 ???

Hey, Tam.

I wouldn't call it MTA, but you can set UTM to filter incoming and outgoing mail for spam and malware. It would roughly be something like:

Incoming: Internet SMTP -> UTM -> Zimbra - Client IMAP/POP/ZCO

Outgoing: Clinet SMTP -> Zimbra -> UTM -> Internet SMTP

So, in a nutshell, you MX record would point to your UTM's external interface. You would configure UTM to accept messages that are addressed to your domain and relay them to your Zimbra server. That way messages would be accepted and filtered by UTM and then delivered to Zimbra. From there is pretty much business as usual, with your Zimbra server accepting and storing the filtered messages and allowing clients to connect and retrieve messages through IMAP/POP/ZCO.

For the other way around you will need to configure Zimbra to use UTM as a smart host. That way UTM would filter outgoing messages for spam and malware as well, delivering them to the remote servers afterwards.

The article you provided cover all the basics necessary to get things going. But the UTM is not an MTA, so it will not allow clients to connect to it for sending and receiving messages. For that you do need to find a way for:

a) Clients inside you network to connect to the Zimbra server for sending and receiving messages

b) Clients outside your network to connect to the Zimbra server for sending and receiving messages

My approach is usually to have a single hostname for MX, IMAP/S, POP/S, and SMTP/S and point it to a valid external IP on which the UTM would listen on. That would allow for a simpler configuration of the clients. I then use something called "Split DNS" to accomplish "a". For "b", a DNAT rule forwarding Submission, POP3S and IMAPS from the external interface to your internal Zimbra server would suffice. For example, assuming you would use something like "mail.domain.com" as the hostname:

For external users, mail.domain.com would resolve to a routable IP address on your WAN. That would be the IP of one of the UTM's external interfaces. SMTP messages sent on port 25 would be accepted, filtered and delivered to Zimbra. For allowing clients outside your network to send and receive messages, you could create a DNAT rule forwarding packets received on this external IP on ports 587 (mail Submission over TLS), 993 (IMAPS) and 995 (POP3S) to your Zimbra server internal IP. 

For internal users, you could create a zone on your internal DNS pointing mail.domain.com to your Zimbra server internal IP. That's split DNS: on the outside, mail.zimbra.com resolves to your external IP (UTM in this case) while on the inside it resolves to your Zimbra server. That way no matter if the users are inside or outside your network, the mail client would just work.

Hope it helps.

Regards,

Giovani

Hey, Tam.

I wouldn't call it MTA, but you can set UTM to filter incoming and outgoing mail for spam and malware. It would roughly be something like:

Incoming: Internet SMTP -> UTM -> Zimbra - Client IMAP/POP/ZCO

Outgoing: Clinet SMTP -> Zimbra -> UTM -> Internet SMTP

So, in a nutshell, you MX record would point to your UTM's external interface. You would configure UTM to accept messages that are addressed to your domain and relay them to your Zimbra server. That way messages would be accepted and filtered by UTM and then delivered to Zimbra. From there is pretty much business as usual, with your Zimbra server accepting and storing the filtered messages and allowing clients to connect and retrieve messages through IMAP/POP/ZCO.

For the other way around you will need to configure Zimbra to use UTM as a smart host. That way UTM would filter outgoing messages for spam and malware as well, delivering them to the remote servers afterwards.

The article you provided cover all the basics necessary to get things going. But the UTM is not an MTA, so it will not allow clients to connect to it for sending and receiving messages. For that you do need to find a way for:

a) Clients inside you network to connect to the Zimbra server for sending and receiving messages

b) Clients outside your network to connect to the Zimbra server for sending and receiving messages

My approach is usually to have a single hostname for MX, IMAP/S, POP/S, and SMTP/S and point it to a valid external IP on which the UTM would listen on. That would allow for a simpler configuration of the clients. I then use something called "Split DNS" to accomplish "a". For "b", a DNAT rule forwarding Submission, POP3S and IMAPS from the external interface to your internal Zimbra server would suffice. For example, assuming you would use something like "mail.domain.com" as the hostname:

For external users, mail.domain.com would resolve to a routable IP address on your WAN. That would be the IP of one of the UTM's external interfaces. SMTP messages sent on port 25 would be accepted, filtered and delivered to Zimbra. For allowing clients outside your network to send and receive messages, you could create a DNAT rule forwarding packets received on this external IP on ports 587 (mail Submission over TLS), 993 (IMAPS) and 995 (POP3S) to your Zimbra server internal IP. 

For internal users, you could create a zone on your internal DNS pointing mail.domain.com to your Zimbra server internal IP. That's split DNS: on the outside, mail.zimbra.com resolves to your external IP (UTM in this case) while on the inside it resolves to your Zimbra server. That way no matter if the users are inside or outside your network, the mail client would just work.

Hope it helps.

Regards,

Giovani

Hi Giovani,

Thank you so much, i did follow your guide, and i can recive mail and sent mail for local domain.

But i can't sent mail to orther domain (outgoing mail internet) as gmail, when sent mail i receive error 

This is the mail system at host mail.mydomain.vn.

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

                   The mail system

<xxxxx@gmail.com>: mail for [IP internet interface of firewall ] loops back to myself

Hope you can help me

Thank you.

Delete Zimbra in Upstream Hosts

yes this oke thank you

but now i get new error when i sent mail to gmail or orther domain

<xxxxxx@gmail.com>: host 113.161.225.241[113.161.225.241] said: 550   Relay not permitted (in reply to RCPT TO command)

with 113.161.225.241 is ip internet interface of sophos UTM 9

error in log file

2017:11:08-08:54:48 asg225241 exim-in[5600]: 2017-11-08 08:54:48 SMTP connection from [113.161.225.241]:38588 (TCP/IP connection count = 1)
2017:11:08-08:54:48 asg225241 exim-in[4472]: 2017-11-08 08:54:48 H=(mail.[mydomain].vn) [113.161.225.241]:38588 F=<thanhtam@mail.[mydomain].vn> rejected RCPT <xxxxxxx@gmail.com>: Relay not permitted 2017:11:08-08:54:48 asg225241 exim-in[4472]: 2017-11-08 08:54:48 SMTP connection from (mail.[mydomain].vn) [113.161.225.241]:38588 closed by DROP in ACL

Thank you so much!

In Advanced Tab, put Zimbra in allowed relay

sorry i don't see  where to allowed relay?

when i unstick Use transparent mode i recieve error mail for 113.161.225.241 loops back to myself

sitck use transparent mode is not permit 

@@

what my problem ????

My fault.

Under Relaying Tab: -> Host-Based Realy

Unknown said:

My fault.

Under Relaying Tab: -> Host-Based Realy

 

oh yeah it worked for me haha

now i can sent and recieve email hahaha.

thank you so much