Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 2 answers
  • Subscribers 26 subscribers
  • Views 17931 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SMTP in MTA mode

ClerpremSpa

Hello,

 

I experienced that there is no way to prevent smtp inbound smtp connection to the firewall when in MTa mode.

 

I'd better leave only my configured upstream hosts to be able to connect through the WAN interface.

 

Thank you



This thread was automatically locked due to age.
Parents
  • 0

    Hi ClerpremSpa,

    I'm not sure I understand the problem, are you saying that you cannot restrict where connections can be made from for servers to deliver emails to the XG?

    If that's the case, then you can restrict where they come from by going to Email > Relay Settings Tab and set the IP/Hosts in the Upstream host section which will restrict only email delivery to the XG to come from those objects you've entered.

    Emile

  • 0 in reply to Emile Belcourt

    Hello,

    when in MTA mode, connections are directed to XG interfaces. The device access is regulated at 'Administration'->'Device Access' page.

    From there you can enable device access for SMTP port. 

    For device access local ACS rules exist, which may filter with more granularity device access.

    When configuring a device access ACL, there is no SMTP service listed. So I cannot limit connections the same way I can do for accessing the https device, for instance.

    In this way, any host can establish an SMTP session. Of course realy is subsequently denied, but a lot of unwanted traffic is allowed.

    I think that in the local ACL configuraziont page the SMTP service is missing whereas it should be there.

     

     

    Device access is not affected by normal firewall policies.

  • 0 in reply to ClerpremSpa

    Hi Clerprem,

    ACLs sit in front of Firewall Profiles so they will be unaffected.

    Can I clarify you're trying to block incoming SMTP connections from unwanted sources?

    Emile

Reply Children
No Data