Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 19 replies
  • Answers 3 answers
  • Subscribers 32 subscribers
  • Views 28946 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG Firewall in MTA mode respond to all IP in WAN interface

GabrieleD

Hello!

I have two questions:

1. When configuring the firewall in MTA mode, each WAN IP address responds to TCP port 25. Can I Limit this to only 1 IP to which it responds?
2. Where is that specific IP address of the WAN the firewall should use for outgoing emails?

Suppose I need to check all outgoing emails (using MTA mode, my email server use XG firewall as SMTP relayhost); Suppose I have two connectivity:
 How do I specify the NAT rules to use?

Using community.sophos.com/.../125596 is not clear to answer previous questions.
Any help?

Thank you



This thread was automatically locked due to age.
  • 0 in reply to GabrieleD

    Hello, we also face this problem too : we have two XG125, SFOS 17.1.2 MR-2 in HA.

    We activated MTA with Sandstorm for test. We already use an external Smtp Email filtering system and we want to use Sandstorm as a second protection raw because it does a great job in addition to traditional anti-malware.

    In the automatically created, MTA firewall rules I added the "MailCleaners" external IP as the only Source Network to be authorized .

    Unfortunately, it is right that the Sophos Smtp is reachable from any Wan IP.

    So some spammers try to directly send email through this way. We installed the RBL filtering but I would prefer the Sophos to be only reachable from authorized Wan IP

    Any ideas in this case ?

     

    Thanks, Audit.

  • 0 in reply to audit

    Would try to "just" build up a DNAT Rule for unwanted IP addresses Port 25 and direct them to "nowhere". Same process like UTM9. 

    For example: You have two interfaces (Port A and B).

    You want only B. So you build a DNAT Rule, Traffic coming from Internet, going to Port A port 25 going to some unused IP in your Network. So basically those request will not end up in the mail daemon of XG and timeout after a while. 

  • 0 in reply to LuCar Toni

    Hello thanks, but I feel a little bit confused with this : there are only 2 IP I want to authorize. all others IP are to drop

  • 0 in reply to audit

    So you want only 2 internet IPs allow to send you emails? This should be configure in the Relay as "Upstream host". 

  • 0 in reply to LuCar Toni

    Hello MBP,

    manbearpig said:
    Would try to "just" build up a DNAT Rule for unwanted IP addresses Port 25 and direct them to "nowhere". Same process like UTM9. 

     

    This is just a workaround. There should be an ACL Rule to achieve this.

     

    Regards, Ronak.

  • 0 in reply to LuCar Toni

    manbearpig said:

    So you want only 2 internet IPs allow to send you emails?

    Yes, exactly.

    This should be configure in the Relay as "Upstream host".

    I just did it : unfortunately, does not work. Sophos SMTP is always responding to any Wan IP

    Thanks anyway for the tip.

     

  • 0 in reply to LuCar Toni

    I just did it : unfortunately, no results : Sophos SMTP always respond to all Wan IP ...

  • 0 in reply to audit

    Still do not understand the requirement. 

    Can you explain in more detail, what you try to archive? 

     

    And yes - It should be configurable via GUI or ACL. I "think" there is something coming with V17.5

  • 0 in reply to LuCar Toni

     Sorry not to be accurate enough :

    I only want Sophos with MTA to accept incoming SMTP connections from 2 external IP and to block all others.