This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Strange fw rule needed to get outbound mails to work

Hello folks,

i've had some trouble getting my outbound mails to work. My configuration is as follows:

Exchange Server
- has a Send Connector with the LAN-IP of my XG Firewall configured as smarthost without authentication

Sophos XG
- FW: SFOS 18.0.0 GA-Build379
- Running in MTA mode
- The Exchange Server is added unter "Relay settings -> host based relay -> Allow relay from hosts/networks"
- A smarthost is configured with authentication
- Under "Administration -> Device access" SMTP Relay is enabled for LAN and WAN Zone

Inbound mail via SMTP policy is working as expected, but i need the following fw rule to get outbound mails to work:

#Port1 is the LAN Port configured with the IP used in the exchange send connector mentioned above and is member of the LAN Zone. If i disable this rule, outbound mails show up in the mail spool on the XG Firewall, but will not get send out through the configured smarthost. Instead i can see that all connections to the configured smarthost are dropped via default drop rule. If i enable that rule, all is working fine and i can see that the traffic to the smarthost is allowed via the rule shown above.

Can anyone explain this behaviour to me? I don't understand why i need that rule at all. With SMTP Relay enabled for LAN+WAN Zone it should work without such a strange rule, shouldn't it?

This thread was automatically locked due to age.

Parents

0 LuCar Toni over 5 years ago

Actually you do not need this Rule at all for MTA mode.

It is just a helper and is not needed.

If you disable / delete this rule and only create a NAT Rule for SMTP, it should work as a MTA.

Device Access (WAN/LAN)

NAT Rule (SMTP) MASQ (if not covered by Default MASQ).

SD-WAN Rule for SMTP (if multiple WAN interfaces are in place).

Do you have a default drop rule created? Can you show us this rule?
Cancel
Vote Up 0 Vote Down

Cancel
0 Kyori over 5 years ago in reply to LuCar Toni

As i told you, if i delete or disable the shown rule (rule 11), my default drop rule is blocking my mails from getting send out to my smarthost.

Here is the Drop Rule. It is the last rule at the bottom:

Why do i need NAT for SMTP? The Firewall is receiving Mails on SMTP so why should i use NAT?

This is how it looks like if i send a Mail with rule 11 enabled:

And this is what i get if i disable rule 11 (from mail log):

Mails are stuck in Spool and dont get sent out.

If i set my drop rule to "reject" instead of "drop", i get this in the log if rule 11 is disabled:

Why do i need a strange, senseless rule like the one on my first post to be able to send mails to a smarthost? This makes absolute no sense at all, but it is the only working solution. It took me a whole day to figure this out. Really, at this point i think the whole MTA thing is bugged.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Kyori over 5 years ago in reply to LuCar Toni

As i told you, if i delete or disable the shown rule (rule 11), my default drop rule is blocking my mails from getting send out to my smarthost.

Here is the Drop Rule. It is the last rule at the bottom:

Why do i need NAT for SMTP? The Firewall is receiving Mails on SMTP so why should i use NAT?

This is how it looks like if i send a Mail with rule 11 enabled:

And this is what i get if i disable rule 11 (from mail log):

Mails are stuck in Spool and dont get sent out.

If i set my drop rule to "reject" instead of "drop", i get this in the log if rule 11 is disabled:

Why do i need a strange, senseless rule like the one on my first post to be able to send mails to a smarthost? This makes absolute no sense at all, but it is the only working solution. It took me a whole day to figure this out. Really, at this point i think the whole MTA thing is bugged.
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data