Transparent Proxy+Country Code blocking and allowing all inbound smtp

Here:

They are not a bunch of posts, but different configurations.

Now supposing that you are receiving an email from North Korea IP. How come the request is coming from your MX (wan address)???

Next time you will be able to resolve this things

Hey Oldeda,

I was not trying to imply anything other than I was having a hard time understanding exactly how the rules are supposed to function...with countries selected, without, with internal addresses, without, with the http proxy cache added, without...I just had a hard time understanding what applied to what situation.

I tried your rules, and they do seem to be mostly functioning, so thank you for your help!

I do have one that wouldn't go out until I disabled the country code blocking, seemed kind of strange. Sort of looked like it was on their side but I am not sure...The error was: 

2018-06-02 14:38:16 xxxx@open-e.com R=dnslookup T=remote_smtp defer (-45): SMTP error from remote mail server after MAIL FROM:<prvs=06916bf604=mark@xxxx.com> SIZE=3831: host mx01.kundenserver.de [217.72.192.67]: 451 Requested action aborted: local error in processing

This Error has to do with your UTM. Maybe restarting the SMTP Service will solve this error. With Country blocking you will not see the log at all

For the Exception: Only check the desired country if you want to skip only one Country, But your case is inbound/oubound all for smtp if Im Correct

Incoming Example: (In this way you have to add another rule for Outbound)
Skip Albania
For All request going to Any (since you use Transparent SMTP mode) Or WAN Address
Using SMTP

Yep, I totally get it. I will reset the UTM in a bit as nobody is there anyway.

Thanks for all your help, have a nice weekend!

--Mark

Dont be confused next time with names. if your MX Record is the External IP, than it is your Wan Address! And it is used only "from incoming country going to wan address"

Have a nice weekend

My notes on country blocking exceptions:

• If you are exempting a remote object, the country list must be left empty.   UTM already knows what sources to exempt, so including a country list only confuses things.
• If your are exempting a local object, the country list must be supplied.   Without a country list, it would have no idea what traffic to exempt.
• If you are exempting a non-transparent resource, you should only have to exempt the UTM address to which the resource is applied.
• If you are exempting a transparent resource, it may be helpful to exempt both the inbound address and the interface on which the traffic applies.   Not certain on this, but exempting both objects is not likely to create a security hole.

Limitations of country blocking

• The algorithm may produce inconsistent results, where the same URL and IP address are associated with different countries at different times.
• A surprising number of entries may have no country identification.
• The most likely result of these issues is that they may allow traffic through that you had intended to block.   The reverse may be possible if the country association floats from an allowed country to a blocked country.
• These problems have been escalated and confirmed by development.   A fix should be forthcoming, but I have no information about which release will include it.