This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Email is leaving the incorrect interface, despite NAT rules in place.

Hello all,

I'm seeing a lot of bounces on the mail manager, and I'm hoping you can help me narrow down the cause.

I've got 3 WAN interfaces and a bunch of extra public IP addresses assigned to them. 
    x.x.x.83 is the default ip address of WAN-X2 and the interface of most of my traffic
    x.x.x.217 is an additional address on interface WAN-X1 and is the public ip address associated with my exchange server
    WAN-X2 and WAN-X1 are fed by different ISPs

I am using SMTP email protection/relay.

The mail manager is reporting emails leaving both .83 and .217. The ones leaving the correct IP are delivered fine, the ones leaving .83 are bounced because that IP address understandably ended up on a blacklist due to the fact that it's not associated with an MX record. 

I verified that SMTP traffic is indeed going out .83 by running    #tcpdump -i eth5 src host x.x.x.83 and port 25

Here are the relevant rules:

Masquerading:

    Internal Networks -> WAN-X2

NAT:

    SNAT
    Inside (Address) -> Email ports -> Any
    Source Translation: WAN-X1 [External x.x.x.217] (Address)

    DNAT
    AnyIPv4 -> Email ports -> WAN-X1 [External x.x.x.217] (Address
    Dest. Translation: Exchange Server


Firewall:

    Exchange -> Email Ports -> Any  ALLOW 

    Any -> Email Ports -> Exchange  ALLOW

 


EDIT Because I forgot the Multipath Rules:

Multipath:

1    Outbound via X2 [by Interface]
      Internal Networks -> Any Port -> Any Address -> WAN-X2

2    Email Only Wan-X1 [by Connection]
      Internal Networks -> Email Ports -> WAN-X1 [x.x.x.217] -> Uplink Interfaces




Any ideas? Any additional information needed?



This thread was automatically locked due to age.
Parents
  • Hi Austin,

    if you use two WAN Interfaces you should use a multipath rule with Persistence "by interface" for the outgoing mail traffic.

    regards mod

  • Thank you for the reply, 

    We do have multipath rules in place, apologies for not including them:

    Multipath:

    1    Outbound via X2 [by Interface]
          Internal Networks -> Any Port -> Any Address -> WAN-X2

    2    Email Only Wan-X1 [by Connection]
          Internal Networks -> Email Ports -> WAN-X1 [x.x.x.217] -> Uplink Interfaces

    I'm looking at them now and I think there may be an issue here.
    Our email rule is [by Connection], not by interface as you suggested, and the email rule is below the catch-all rule.  I don't know how precedence works with multipath rules in Sophos, but it seems to me that the Email rule should be at the top. Thoughts?

  • The source is not internal network, try any for mail and by interface

    Regards mod

Reply Children
No Data