This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Transparent Proxy+Country Code blocking and allowing all inbound smtp

Hello UTMers!

 

Quick question for the geniuses here (I'm talking to you balfson!): What is the proper design of a country code exception that allows SMTP inbound and outbound from all countries? I have seen a bunch of posts on these forums...some say the internal address needs to be added, others say the wan address also needs to be added (I assume it would be the IP that the MX record responds on) but I cannot get either to work. I do have the transparent proxy enabled as well as country code blocking enabled for almost all countries (disable access both ways).

 

My current rule looks like this:

Skip blocking of these regions : ALL COUNTRIES SELECTED

For all requests COMING FROM THESE

Hosts/Networks- Internal network address + External IP that MX record responds on (External WAN address).

Using SMTP.

 

What am I doing wrong here?



This thread was automatically locked due to age.
  • They are not a bunch of posts, but different configurations.

    Now supposing that you are receiving an email from North Korea IP. How come the request is coming from your MX (wan address)???

    Next time you will be able to resolve this things

  • Hey Oldeda,

     

    I was not trying to imply anything other than I was having a hard time understanding exactly how the rules are supposed to function...with countries selected, without, with internal addresses, without, with the http proxy cache added, without...I just had a hard time understanding what applied to what situation.

     

    I tried your rules, and they do seem to be mostly functioning, so thank you for your help!

     

    I do have one that wouldn't go out until I disabled the country code blocking, seemed kind of strange. Sort of looked like it was on their side but I am not sure...The error was: 

    2018-06-02 14:38:16 xxxx@open-e.com R=dnslookup T=remote_smtp defer (-45): SMTP error from remote mail server after MAIL FROM:<prvs=06916bf604=mark@xxxx.com> SIZE=3831: host mx01.kundenserver.de [217.72.192.67]: 451 Requested action aborted: local error in processing

  • This Error has to do with your UTM. Maybe restarting the SMTP Service will solve this error. With Country blocking you will not see the log at all

    For the Exception: Only check the desired country if you want to skip only one Country, But your case is inbound/oubound all for smtp if Im Correct

     


    Incoming Example: (In this way you have to add another rule for Outbound)
    Skip Albania
    For All request going to Any (since you use Transparent SMTP mode) Or WAN Address
    Using SMTP

  • Yep, I totally get it. I will reset the UTM in a bit as nobody is there anyway.

    Thanks for all your help, have a nice weekend!

     

    --Mark

  • Dont be confused next time with names. if your MX Record is the External IP, than it is your Wan Address! And it is used only "from incoming country going to wan address"

    Have a nice weekend

  • My notes on country blocking exceptions:

    • If you are exempting a remote object, the country list must be left empty.   UTM already knows what sources to exempt, so including a country list only confuses things.
    • If your are exempting a local object, the country list must be supplied.   Without a country list, it would have no idea what traffic to exempt.
    • If you are exempting a non-transparent resource, you should only have to exempt the UTM address to which the resource is applied.
    • If you are exempting a transparent resource, it may be helpful to exempt both the inbound address and the interface on which the traffic applies.   Not certain on this, but exempting both objects is not likely to create a security hole.

    Limitations of country blocking

    • The algorithm may produce inconsistent results, where the same URL and IP address are associated with different countries at different times.
    • A surprising number of entries may have no country identification.
    • The most likely result of these issues is that they may allow traffic through that you had intended to block.   The reverse may be possible if the country association floats from an allowed country to a blocked country.
    • These problems have been escalated and confirmed by development.   A fix should be forthcoming, but I have no information about which release will include it.