Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 19 replies
  • Answers 3 answers
  • Subscribers 32 subscribers
  • Views 28946 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG Firewall in MTA mode respond to all IP in WAN interface

GabrieleD

Hello!

I have two questions:

1. When configuring the firewall in MTA mode, each WAN IP address responds to TCP port 25. Can I Limit this to only 1 IP to which it responds?
2. Where is that specific IP address of the WAN the firewall should use for outgoing emails?

Suppose I need to check all outgoing emails (using MTA mode, my email server use XG firewall as SMTP relayhost); Suppose I have two connectivity:
 How do I specify the NAT rules to use?

Using community.sophos.com/.../125596 is not clear to answer previous questions.
Any help?

Thank you



This thread was automatically locked due to age.
Parents
  • +1

    Hi GabrieleD,

    If you use MTA mode, Sophos XG will auto-create firewall (top of list firewall rules). You are able to check this firewall rule.

    Hope help you!

  • 0 in reply to Huy Vu

    Yes , I see this rule

    My firewall in WAN interface have multiple alias. One of my IP alias is public IP of my mailserver (MX).

    I edit auto-create firewall rule and specify IP address of my mailserver (MX) to destination IP; I can connet to TCP port 25 not only to that alias but also primary IP, and other aliases....

    What IP address my firewall use when send email (scan outgoing mail) ?

  • +1 in reply to GabrieleD

    Hi GabrieleD,

    You need create Source NAT profile, prefer artcle: https://community.sophos.com/kb/en-us/123294

    Then, in auto-create rule, please choose SNAT profile which you create above in Use Outbound Address instead of MASQ.

    Hope help you!

  • 0 in reply to Huy Vu

    Hello Huy Vu,

    I've had a lot of work, sorry!

    There are two questions, perhaps I have not been clear:

    1. My firewall WAN interface have multiple IP / Alias. One alias is IP of mailserver (corresponds to MX)

    The firewall must respond only to the specific IP address not all IPs assigned to the WAN interface

    With default "Auto added firewall policy for MTA" responds to SMTP commands on all WAN IP addresses.

    2. When internal maillserver (RelayHost) send outgoing email wich IP address use? (Your response SNAT Profile...)

    Thanks

  • 0 in reply to GabrieleD

    UTM had this same issue as well when the MTA is configured. The automatic rule being configured is an inbound rule. Once you have it configured add another firewall rule to block destination port 25. You are also going to need a source NAT (SNAT) rule on your firewall so when your mail server sends e-mail (Assuming that your are using your XG as your relay host) it uses the correct IP (your MX) outbound.

    In my opinion this could be an easy fix for Sophos to set the MTA listener with an IP:25 instead of just :25.

     

    Hope this helps.

    -Ron

  • 0 in reply to GabrieleD

    Hi GabrieleD ,

    In MTA mode  , we have no definative way to block incomming SMTP port from specific address.  You may try to create a rule Source WAN  Destination LAN , Destination PORT 25 ADDRESS <ALL ALIAS >

    If this does not work then you may raise a feature request to add additional configuration.

  • 0 in reply to rrosson

    Hello Ron and Aditya

    I agree with Ron opinion: define in MTA General settings where MTA is listen.....

     

    Another problem is SMTP auth to send email where users are "external", and I need to treat SMTP traffic in a different way:

    a. SMTP to receive email from other mailserver

    a. SMTP to receive email from legitimate clients outside organizazion (via SMTP Auth)

    Currently Sophos MTA does not support authentication, for this reason I need to use to DNS name.

    A working solution:

    smtp.domain.com -> to send mail

    mail.domain.com -> to receive email  (correspond to MX record)

    internal server = 192.168.1.5

    Internal users connect via SMTP auth to smtp.domain.com (thats is resoved to 192.168.1.5) to send email

    External user connect via SMTP auth to smtp.domain.com to send email... I need create a Business App DNAT rule that precedes the "Auto added firewall policy for MTA"

    That's it's important to specify on which IP MTA listen...

    Thanks

  • 0 in reply to GabrieleD

    Hi GabrieleD

    If you create Business App DNAT, all of traffic to your Mail Server will through DNAT policy. Because NAT policy have high priority.

     

  • 0 in reply to GabrieleD

    @ 

    Keep in mind most modern mail servers should be configured to use port 587 to send e-mail with authentication and port 25 is primarily used for mail server to mail server communications. Have you thought about setting up a DNAT rule for port 587 directly to your mail server and then have the XG running in MTA mode process your mail for SPAM and viruses before being forwarded to your mail server before finally delivery?

    The above is how I did it when I was running UTM with a paid for SSL certificate but I have since switched over to LetsEncrypt on my mail system and XG still has no support for it.  :( So for now I am just using DNAT for inbound and SNAT for outbound.

    With the release of 17.1 GA your users can now manage their white/black list from the user portal. Glad to see this feature be added to XG to close one more thing from the feature parity list of UTM.

    Now if XG would add LetsEncrypt my XG Home firewall would be in heaven.  :)

     

    Hope the information helps.

    -Ron

  • 0 in reply to rrosson

    Hi Ron.

    Thanks for your info!

  • 0 in reply to GabrieleD

    Hello, we also face this problem too : we have two XG125, SFOS 17.1.2 MR-2 in HA.

    We activated MTA with Sandstorm for test. We already use an external Smtp Email filtering system and we want to use Sandstorm as a second protection raw because it does a great job in addition to traditional anti-malware.

    In the automatically created, MTA firewall rules I added the "MailCleaners" external IP as the only Source Network to be authorized .

    Unfortunately, it is right that the Sophos Smtp is reachable from any Wan IP.

    So some spammers try to directly send email through this way. We installed the RBL filtering but I would prefer the Sophos to be only reachable from authorized Wan IP

    Any ideas in this case ?

     

    Thanks, Audit.

  • 0 in reply to audit

    Would try to "just" build up a DNAT Rule for unwanted IP addresses Port 25 and direct them to "nowhere". Same process like UTM9. 

    For example: You have two interfaces (Port A and B).

    You want only B. So you build a DNAT Rule, Traffic coming from Internet, going to Port A port 25 going to some unused IP in your Network. So basically those request will not end up in the mail daemon of XG and timeout after a while. 

Reply
  • 0 in reply to audit

    Would try to "just" build up a DNAT Rule for unwanted IP addresses Port 25 and direct them to "nowhere". Same process like UTM9. 

    For example: You have two interfaces (Port A and B).

    You want only B. So you build a DNAT Rule, Traffic coming from Internet, going to Port A port 25 going to some unused IP in your Network. So basically those request will not end up in the mail daemon of XG and timeout after a while. 

Children