Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 8865 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SMTP authication via MTA

Martin Meerman

Hi,

I have a Synology mailserver/NAS behind an XG with the latest SF-OS in MTA mode. Incoming and outgoing mails are all fine and sent by / delivered to the mailserver. Reading emails on a client (pc or iPhone) via IMAP also works fine within the LAN or in a WAN (outside office) environment. Sending only works within the LAN when I set the outgoing mailserver address directly to the IP-address of the mailserver instead of the domainname of my external IP. From out of the office (fi iPhone on 4G or pc on remote LAN) I cannot use the internal IP address and I need to set the outgoin mailserver address to my external IP.This used to work all fine with my previous (other brand) UTM, but it doesn't here. The error I get is:

iPhone: The SMTP server '[domainname ext.IP]' does not support password identity controle.

pc/outlook2013: this server does not support any authentication methode

It looks like the XG (firewall rule? MTA?) is blocking the SMTP authentication on my mailserver from the outside coming in and not (of course) when addressing it directly.

 

Any suggestion where to look / resolve this?

best regards,

Martin



This thread was automatically locked due to age.
Parents
  • 0

    Martin,

    you have to allow relay from Hosts (any) and make sure authentication is checked, otherwise all external users can use your mail server as an open relay.

    You need to configure on your mobile the XG wan ip address in order to send/receive mails, if the mail server is hosted behind it.

    More information here:

    http://docs.sophos.com/nsg/sophos-firewall/v16012/Help/en-us/webhelp/onlinehelp/index.html#page/onlinehelp%2FHostBasedRelay.html%23

    Regards,

  • 0 in reply to lferrara

    Thanks, although I didn't fix it yet. 

    Under Authentication I created some (home) users and put them in a group (family). I set the usernames and passwords identical to the ones on the mailserver, so there would not be a conflict there. I also set the login restriction to 'Any node' to be sure this would not block authenticating from the internet (both for the Group and the Users).

    Then, under Email > Relay Settings, I selected the suggested "Allow Relay from Hosts/Networks" to Any (and making it thus an open relay, for which it also warns) and selected the Group under Authenticated Rely Settings

    Instead of using the WAN-IP in my email settings I use the hostname that refers to that address. This has alwys worked before as it still does for incoming email (so I guess the addressing is not the issue).

    But still the authentication from external fails (using the same authications crds that work from the LAN)

    Any suggestions?

    thanks in advance - Martin

  • 0 in reply to Martin Meerman

    Martin,

    do you see any useful logs inside the awarrenmta.log inside the /var/tslog from shell?

    Thanks

  • 0 in reply to lferrara

    Luk,

    To move on and the XG working I switched back to the Legacy mode and that all works now. I will look into the MTA mode later, when I got the rest also working.

    thanks for the efforts

    Martin

  • 0 in reply to Martin Meerman

    I'm having the same issue - with MTA enabled I can't get my iPhone to use the XG MTA as the outgoing SMTP server from outside the LAN. It looks like the MTA can only accept connections on port 25. If this port is blocked by the ISP (in this case I believe it is - cellular connection) then I can't send emails outside of my LAN using the XG in MTA mode. My internal mail server accepts SSL encrypted connections on on ports 25 and 465 for exactly this reason. 

  • 0 in reply to KeithThornburn

    I have the same issue even with the port 25 open. It seems that remote authentication for MTA isn't working at all.

    :(

Reply Children
No Data