Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 9 replies
  • Answers 1 answer
  • Subscribers 29 subscribers
  • Views 3934 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is there a guide to configuring email support with XG 17.5.7?

Rob Mason

I never though enabling email support would be so much trouble. Is there a guide to configuring email support - basically SMTP & IMAP - through the XG firewall (home edition) that actually works? I think I have followed every article on the community with no success.

I have a pretty simple home network - ADSL2 connection, XG home firewall, a synology NAS with mailplus server. I want to be able to send and receive email from my home devices (iPhone, iPad) from a mailbox on my NAS. I have been able to get outgoing SMTP working, but incoming  SMTP fails miserably. I can’t even turn off the autocreated rules and send port 25/587 traffic directly in/out with no processing. I have tried a direct DNAT type rule for incoming SMTP but it still won’t pass the traffic through. A telnet on port 25 to my firewall from the internet goes unanswered and times out. The email templates for business application rules don’t have a field to say where the email traffic should go (i.e. to the mail server on the NAS), even though the action says ‘forward’.

I thought I knew the basics of firewall configuration reasonably well, but this has beaten me.

Any basic guides would be appreciated before I give up and try a different product.

Thanks.



This thread was automatically locked due to age.
Parents
  • 0

    Hi  

    Please try to configure DNAT for your email server and also create a reflexive rule as well- https://community.sophos.com/kb/en-us/122976

    There should be 2 firewall rule required WAN to LAN for the connection initiating from WAN side of the firewall and LAN to WAN for connection initiating from LAN zone or Mail server.

    Please allow the service in the rules as per your requirement, you may use packet capture to check the traffic- https://community.sophos.com/kb/en-us/123189 and https://community.sophos.com/kb/en-us/127647

  • 0 in reply to Keyur

    Hi Keyur,

    Thank you for your reply.  I had followed that article and setup DNAT rules for inbound and outbound SMTP(S) traffic as per the instructions.  What do I do with the auto-created rule for the MTA?  Leave it enabled? Disable it? Delete it?  No where in that auto rule does it say where to forward email traffic, but the Action is "Forward".  So I assume that the DNAT rules that I have created take care of the forwarding.  Do I do the same rule to allow IMAP(S) connections from the WAN?

    Apologies if this is unclear, but the documentation is far from specific and could use a few examples.

    Thanks,

    -Rob

  • +1 in reply to Rob Mason

    Basically, it depends which mode you want to use.

     

    Legacy Mode (Transparent Mail Transfer).

    MTA Mode (Standard Mail Transfer).

     

    In MTA Mode, you talk to XG without any Firewall rule needed. Basically delete all Rules, which involves SMTP.

    Everything in MTA Mode is handled by the Device Access Page. There you can open Port 25 for a Zone (Most likely WAN and Server Zone). 

     

    Afterwards, XG will process the Mail to the MTA. The MTA Module (exim) will then act properly depending on your Email Configuration on XG. 

     

  • 0 in reply to LuCar Toni

    OK, thanks for that.  I have disabled all SMTP rules and now only have the auto-created MTA rule at the very top of the rules.  If I enable scanning on POP/S, IMAP/S, & SMTP/S it still does nothing in terms of incoming connections on port 25, but it does break my access to a gmail account from my iPhone with a certificate error.  From the internet, if I telnet to port 25, I still get no answer.  I have an SMTP routing rule in the e-mail section that should forward to my mail server.  Have I missed something?

     

    When you say "Everything in MTA Mode is handled by the Device Access Page", what do you mean by the Device Access Page?  Is that just the web interface email page?

     

    I've spent so many hours on this that I am on the verge of giving up.  If it is this hard to allow a simple incoming connection, I don't think this is the product for me :(  I find it hard to comprehend that a product that can do so much and looks so promising makes the basics so difficult - this should be a simple process.

     

    Is there not a way that I can disable all the email interference and just allow port 25 straight through to my e-mail server, like my modem router can do?

     

    Thanks again for your help.

     

  • 0 in reply to Rob Mason

    Finally a break-through.  On the Administration -> Device Access page, there is a checkbox for SMTP relay.  Why is that not mentioned in any of the articles about setting up SMTP scanning or SMTP configuration/troubleshooting???  I can't believe that I have wasted so much time on a simple checkbox :(

     

    Now, is it possible to enable external imap access to my mail server???

    Thanks for your help - the device access page comment got me thinking, along with another article of on packet capture local_acl errors!

  • 0 in reply to Rob Mason

    MTA is "Mail Server to Mailserver" communication.

    Basically, if you are refering to IMAP, i guess you only use Client to Server communication.

     

    Client to Server SMTP needs a Scan rule. 

    Your Client is not a MTA. 

    Basically you would need to setup a Firewall rule: LAN to WAN, scanning IMAPs / SMTPs

    Then you need to replace the Certificates on your Client. 

    https://community.sophos.com/kb/en-us/123274

     

  • 0 in reply to LuCar Toni

    If I'm a home user and I only use email services like Gmail, iCloud, etc. (i.e. you do not host your own mail server), which mode should I be running, MTA or the transparent proxy mode?

Reply Children
  • 0 in reply to shred

    Hi Shred,

    depends on which protocols you are using. If you want to scan your incoming mail then you would need to use POP/s or IMAPs and then transparency mode. If you use port 443 then the email setup doesn't matter because the messages are not processed by the mail security system.

    Now for your daily reports you would need to use legacy and external mail server.

    Ian