Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 19 replies
  • Answers 3 answers
  • Subscribers 32 subscribers
  • Views 28946 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG Firewall in MTA mode respond to all IP in WAN interface

GabrieleD

Hello!

I have two questions:

1. When configuring the firewall in MTA mode, each WAN IP address responds to TCP port 25. Can I Limit this to only 1 IP to which it responds?
2. Where is that specific IP address of the WAN the firewall should use for outgoing emails?

Suppose I need to check all outgoing emails (using MTA mode, my email server use XG firewall as SMTP relayhost); Suppose I have two connectivity:
 How do I specify the NAT rules to use?

Using community.sophos.com/.../125596 is not clear to answer previous questions.
Any help?

Thank you



This thread was automatically locked due to age.
Parents
  • +1

    Hi GabrieleD,

    If you use MTA mode, Sophos XG will auto-create firewall (top of list firewall rules). You are able to check this firewall rule.

    Hope help you!

  • 0 in reply to Huy Vu

    Yes , I see this rule

    My firewall in WAN interface have multiple alias. One of my IP alias is public IP of my mailserver (MX).

    I edit auto-create firewall rule and specify IP address of my mailserver (MX) to destination IP; I can connet to TCP port 25 not only to that alias but also primary IP, and other aliases....

    What IP address my firewall use when send email (scan outgoing mail) ?

  • +1 in reply to GabrieleD

    Hi GabrieleD,

    You need create Source NAT profile, prefer artcle: https://community.sophos.com/kb/en-us/123294

    Then, in auto-create rule, please choose SNAT profile which you create above in Use Outbound Address instead of MASQ.

    Hope help you!

  • 0 in reply to Huy Vu

    Hello Huy Vu,

    I've had a lot of work, sorry!

    There are two questions, perhaps I have not been clear:

    1. My firewall WAN interface have multiple IP / Alias. One alias is IP of mailserver (corresponds to MX)

    The firewall must respond only to the specific IP address not all IPs assigned to the WAN interface

    With default "Auto added firewall policy for MTA" responds to SMTP commands on all WAN IP addresses.

    2. When internal maillserver (RelayHost) send outgoing email wich IP address use? (Your response SNAT Profile...)

    Thanks

  • 0 in reply to GabrieleD

    UTM had this same issue as well when the MTA is configured. The automatic rule being configured is an inbound rule. Once you have it configured add another firewall rule to block destination port 25. You are also going to need a source NAT (SNAT) rule on your firewall so when your mail server sends e-mail (Assuming that your are using your XG as your relay host) it uses the correct IP (your MX) outbound.

    In my opinion this could be an easy fix for Sophos to set the MTA listener with an IP:25 instead of just :25.

     

    Hope this helps.

    -Ron

  • 0 in reply to GabrieleD

    Hi GabrieleD ,

    In MTA mode  , we have no definative way to block incomming SMTP port from specific address.  You may try to create a rule Source WAN  Destination LAN , Destination PORT 25 ADDRESS <ALL ALIAS >

    If this does not work then you may raise a feature request to add additional configuration.

Reply
  • 0 in reply to GabrieleD

    Hi GabrieleD ,

    In MTA mode  , we have no definative way to block incomming SMTP port from specific address.  You may try to create a rule Source WAN  Destination LAN , Destination PORT 25 ADDRESS <ALL ALIAS >

    If this does not work then you may raise a feature request to add additional configuration.

Children
No Data