Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 1 reply
  • Subscribers 27 subscribers
  • Views 771 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Spamfirewall hinter Sophos UTM 9

Benjamin Rommel

Hallo ich möchte eine Spamfirewall hinter der Sophos UTM platzieren. Wir haben zwei feste öffentliche IPs. Unser Hoster ist Strato. Worauf muss ich den MX-Eintrag bei Strato setzen? Was muss ich in der Sophos einstellen?

Mit freundlichen Grüßen

berootale



This thread was automatically locked due to age.
  • +1

    Multiple options:

    To get started:

    Decide which IP to use for port 25.   This goes into your MX record 

    1. UTM SMTP Off
      Create a NAT rule for traffic from ANY:<any> to <Public IP:25>, translates to <SPAMdevice>:25
      Create a NAT rule for traffic from <SPAMdevice>:<any> to <ANY>:25, translates to <Public IP>:<any>
      Create firewall rules to allow this same traffic.

    2. UTM SMTP Transparent Mode in front of your other spam filter
      Substantially identical to SMTP Off, except that SMTP is enabled in transparent mode.
      Need to add DNAT rules to send any unauthorized SMTP traffic to a dead-end IP Address.

    3. UTM SMTP Standard Mode in front of your other SPAM filter
      Configure UTM for the domains that it will accept.
      Relay traffic from UTM to SPAM device, instead of relaying directly to the mail server.
      Configure the SPAM device to forward traffic to the mail server.

    4. UTM SMTP Standard Mode behind your other SPAM Filter.
      Configure the NAT and firewall rules as for SMTP Off.
      Configure SPAM device to forward all traffic to UTM's internal address.
      Configure UTM SMTP Standard mode for the domains that it will accept and the routing to deliver to the mail server.

    Because options 1, 2, and 4 will allow your SPAM device to see the incoming connection, which allows it to apply filters based on the sender.  This enables several features that UTM lacks, particularly filtering on Reverse DNS or HELO/EHLO, and enforcement of sender DMARC policy. 

    EDITS added:

    I don't like option 3 at all, because it prevents the other device from fixing UTM's limitations.

    I don't like option 1 because it does not take advantage of all available defenses.   

    I use option 4 (UTM Standard Mode SMTP behind another device).   UTM is configured to quarantine anything that it does not like, so it can be released to the user if necessary.   I use dual-mode AV scanning on the incoming traffic.  I have had very few occasions that something needed to be released from the quarantine -- my false positive rate is on the order of less than 5 items per year.    Consequently, I recommend using UTM as a backup to your other device.   

    Option 2 allows you to see how much SPAM the other device catches that UTM has missed, but it can be tricky because of the need to prevent unwanted SMTP traffic from passing through UTM.  Option 4 allows you to see how much SPAM UTM catches that the other device has missed.   Either of these configurations should produce about the same filtering result.