Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 10 replies
  • Subscribers 27 subscribers
  • Views 3625 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Trouble getting outbound SMTP traffic working

cwoller

Hi.

I try to make outbound SMTP traffic working over port 3 instead of WAN port (2). My setup looks like this:

(green is inbound, this is working; purple is outbound, it is currently not working)

I already have a SD-WAN policy inplace, that gets my Wifi- and internal webtraffic (http+https) over Port 5. The same way I tried to setup outbound SMTP traffic:

  • Firewall rule that allows internal mail (within "Source networks and devices") server to ANY, protocol is SMTP, SMTP scanning is ON
  • SD-WAN Policy that has "Source network" = (internal mail server); "Destination networks": Any; "Services": SMTP; Primary Gatway: GW for Port3, override GW monitoring is ON, Backup GW is none.

What happend is that my SD-WAN policy gets ignored and everything is send out over first IP of WAN Port 2.

What I am doing wrong? The SD-WAN works perfectly for web related traffic but SMTP seams to get handled differently...



This thread was automatically locked due to age.
  • +1

    Do you use SMTP MTA Proxy? The Traffic is generated by XG itself, not the Mailserver. 

    This would lead to: SD-WAN Policy is: Source Network = ANY. 

    Please read the Online Help for SD-WAN before making such a Change. 

  • 0 in reply to LuCar Toni

    LuCar Toni said:
    Please read the Online Help for SD-WAN before making such a Change.

    This time I did :-)

    Yes, I am using V18 with MTA mode.

    LuCar Toni said:
    This would lead to: SD-WAN Policy is: Source Network = ANY. 

    "Source = Any" in my SD-WAN policy means that if someone from internal network or lets say guest wifi is using its Smartphone to send emails via SMTP, this SD-WAN policy gets triggered too...? There is no such "object" within the FW/NAT/SD-WAN rules that relates to the XG itself?

    Because I cannot change outgoing mailrouting during office times, I will test this tonight.

    Thank you LuCar Toni :-)

  • 0 in reply to cwoller

    There are 3 different parts in place in XG. 

    Firewall (Allowing), NAT (Changing), Routing(Using).


    If you tell XG to use SD-WAN Rule A, it will use it for the Routing aspect, but still the traffic needs to be A: Allowed, B: Changed. 

    If you allow a Traffic, you still need to A: NAT(Change) and B: Route(Use). 

     

    Those aspects are completely independed. 

  • 0 in reply to LuCar Toni

    LuCar Toni said:
    Firewall (Allowing), NAT (Changing), Routing(Using).

    That is a very good explanation about how these three apsects work together, thank you :-)

    LuCar Toni said:
    If you tell XG to use SD-WAN Rule A

    My problem as a long time UTM user and XG newbi (currently migrating to) is, that I cannot simply tell XG to use SD-WAN "A".

    To make it work, I have understand that I have to make sure to think about how the traffic looks like on each point (whats my source or whats my destination and wahts my service) and how this is changed by any service running on XG (in this example MTA or any email related service).

    <note to me>

    Long term - short: I have to make sure, that traffic that gets through the Firewall, has the right NAT settings over to the point where a routing decision is taken. Then it went down (my) precedence for routing to the SD-WAN policy. And if something in the chain isn't correct, the traffic SD-WAN didn't apply and the traffic gets over to WAN link manager.

    </note to me>

    Hm, ... this explains why my SMTP traffic currently gets handled by the wrong interface.

  • 0 in reply to cwoller

    As XG has 3 Routing Tables (VPN, SD-WAN, Static) which you can influence, you can use all three for routing.

    Routing Precedence is the key for this, you can say, using SD-WAN, if SD-WAN is not finding any rule, it will run VPN, if VPN (Policy Based IPsec), is not finding any Rule, it will run Static (Direct attached interfaces, WAN Link Manager, Static Routing, OSPF/BGP). 

    There is a Hierarchie in XG about Routing. 

     

  • 0 in reply to LuCar Toni

    Short reply from me:

    LuCar Toni said:
    This would lead to: SD-WAN Policy is: Source Network = ANY. 

    Outbound mail is working. Thank you :-)

    Regards,

    Christian

  • 0 in reply to LuCar Toni

    LuCar Toni said:
    This would lead to: SD-WAN Policy is: Source Network = ANY. 

    This works perfectly for outbound from email server that sits on local LAN.

    But when connecting a branch office to the XG (tunnel, xfrm1) and send send emails from branch-local Exchange to XG (smarthost, relay permitted), every mail fail.

    So the SD-WAN does not apply to this branch office smtp traffic. How can I do this?

    After some time, they are gone from the mail spool but I cannot confirm that they are sended out (or deleted, eg.). They do not show up in maillog.

  • 0 in reply to cwoller

    One error I see again and again is

    {...} R=default_mx_router T=remote_smtp defer (-53): retry time not reached for any host for '<hostname>'

    This is excactly the same message I got for my "LAN" side Exchange Servers before I added the SD-WAN Policy with Source Network = ANY.

    I also see

    "Out IP" is 0.0.0.0 - so is this NAT problem? Working mails have this entry:

  • +1 in reply to cwoller

    Ok, did a NAT rule that seams to be working for me:

    Now my OUT IP 0.0.0.0 gets translated to my hostname and mails from queue gets send through the Internet.