Just moved to Astaro and I need to get SPAM detection running a bit stricter than the default settings. A lot of SPAM is getting through and not even being tagged.
some users also mistakenly make a port-forward/dnat rule for smtp port 25 to their mail server (forwarding rule) which actually jumps right over the SMTP proxy, and can give rise to a sense that our spam detection isnt working right (which its not since it doesnt have any chance to the filter the messages then).
Just checking to make sure this doesn't apply to you. There should be no dnats for port 25 at all, since the SMTP proxy itself does the routing/filtering.
yes, in the scheme of things in ASG, the dnat rules happpen before the proxies, so if you are doing (the usually correct) thing of making a forwarding rule, this will jump you over a configured feature like a mail proxy.
The POP3 proxy is transparent, as is designed for clients who are checking pop3 messages via a client on the lan and going out to a server on the internet. If you have incoming visitors popping your to local server then the mail has already arrived at the server and is already filtered, hence we don't filter it leaving the server via pop3 to a client outside asg.
The logic for that smtp situation is you have already defined in the smtp proxy the domain involved and where the mail server is as the target, hence you dont need a DNAT as that would be redundant.
Which logic applies to an FTP server behind the ASG? Is it proxied like SMTP or DNAT'd like POP3. I ask this because I cannot get passive FTP (PASV) working. Or do I need DNAT+SNAT for that case?
Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries. Use the advice given at your own risk.
and there are no stupid questions here. We like helping, and its usually much better to ask a question which is quickly answered than pouring through everything looking for something to tip you the correct way. Astaro is actually fairly easy to use, especially vs. some other solutions in the space, however it still requires a grasp of how "we" do things vs. what you might be used to.
If something which is asked is going to take a huge reply, and there is however some sort of document which might better help you, it is usually suggested/pointed out.
May I suggest the addition of a HOWTO section here in the Forums with usage scenarios defined. For example:
HOWTO deploy an FTP server behind an ASG firewall. HOWTO allow connectivity for a DirecTV HR20/700 VOD receiver. HOWTO deploy an e-mail server behind an ASG firewall. HOWTO deploy an Exchange 2*** server behind an ASG firewall.
Theoretically, that is what one should find in the Astaro KnowledgeBase. I agree that Astaro should do a better job of facilitating and certifying contributions by experienced users.
Cheers - Bob
Sophos UTM Community Moderator Sophos Certified Architect - UTM Sophos Certified Engineer - XG Gold Solution Partner since 2005
