This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SMTP Relaying

Hi,
Currently using Mail Proxy in Simple mode, have my relay set to Host-based relay for my internal network.  We're using a internal exchange server.

This is working fine however obviously with this no one can send any mail from an outside network (such as connecting through imap/smtp etc. via a phone or home computer that isn't vpn-ing in or going through OWA).

Just looking for the best way to allow such things without having a security risk;  Allowing any on the host-based I could easily see being an issue.  Obviously not possible to allow each individual's host network on the list.

Just wanted to know if there was another way that could be done that I'm not seeing, perhaps a way to say if it comes from the internal domain, regardless of the host address, let it send/relay through the smtp?
Thanks.

This thread was automatically locked due to age.

Parents

0 BAlfson over 12 years ago

The Exchange server has to have the UTM listed as its smart host, preferably in the Exchange SMTP Connector.  The rest looks great!

This situation is addressed by something I've said here hundreds of times.  Actually, there are several things things like that so I finally put them into a list for me to reference and copy.  My Rule #2 applies here:
In general, a packet arriving at an interface is handled only by one of the following, in order:
DNATs first, then VPNs and Proxies and, finally, manual Routes and Firewall rules.

The users need a DNAT to get SMTP to Exchange from their Androids, so you have to use a different IP for the SMTP DNAT.  I would suggest an FQDN like exchange.yourdomain.com that points at the additional IP.  Then, you can use that for OWA and everything else, including SMTP to Exchange.  You would wind up with a NAT rule like:
DNAT : Internet -> Email Messaging -> External [Exchange] (Address) : to {Exchange server}

Leave the service change blank and select auto firewall rules.

Did that work for you?

Cheers - Bob
PS You might want to tighten things up a bit and just list the services you want instead of the entire Email Messaging group - then you could include HTTP/S for OWA.

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 BAlfson over 12 years ago

The Exchange server has to have the UTM listed as its smart host, preferably in the Exchange SMTP Connector.  The rest looks great!

This situation is addressed by something I've said here hundreds of times.  Actually, there are several things things like that so I finally put them into a list for me to reference and copy.  My Rule #2 applies here:
In general, a packet arriving at an interface is handled only by one of the following, in order:
DNATs first, then VPNs and Proxies and, finally, manual Routes and Firewall rules.

The users need a DNAT to get SMTP to Exchange from their Androids, so you have to use a different IP for the SMTP DNAT.  I would suggest an FQDN like exchange.yourdomain.com that points at the additional IP.  Then, you can use that for OWA and everything else, including SMTP to Exchange.  You would wind up with a NAT rule like:
DNAT : Internet -> Email Messaging -> External [Exchange] (Address) : to {Exchange server}

Leave the service change blank and select auto firewall rules.

Did that work for you?

Cheers - Bob
PS You might want to tighten things up a bit and just list the services you want instead of the entire Email Messaging group - then you could include HTTP/S for OWA.

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 ntoupin over 12 years ago in reply to BAlfson

The Exchange server has to have the UTM listed as its smart host, preferably in the Exchange SMTP Connector.  The rest looks great!

This situation is addressed by something I've said here hundreds of times.  Actually, there are several things things like that so I finally put them into a list for me to reference and copy.  My Rule #2 applies here:
In general, a packet arriving at an interface is handled only by one of the following, in order:
DNATs first, then VPNs and Proxies and, finally, manual Routes and Firewall rules.

The users need a DNAT to get SMTP to Exchange from their Androids, so you have to use a different IP for the SMTP DNAT.  I would suggest an FQDN like exchange.yourdomain.com that points at the additional IP.  Then, you can use that for OWA and everything else, including SMTP to Exchange.  You would wind up with a NAT rule like:
DNAT : Internet -> Email Messaging -> External [Exchange] (Address) : to {Exchange server}

Leave the service change blank and select auto firewall rules.

Did that work for you?

Cheers - Bob
PS You might want to tighten things up a bit and just list the services you want instead of the entire Email Messaging group - then you could include HTTP/S for OWA.

We currently do have a external IP and FQDN that is being used for HTTP OWA:
m2.***.k12.ma.us   -  50.**.***.122

Just a little confused by what you said about the "additional" IP.  Do we need another separate IP from that to do the DNAT with SMTP for the devices?

We do currently have a DNAT setup going Source (Any for internet) -> Service HTTP (port 80 for non ssl) -> 50.**.***.122  (the external IP used for OWA access) -> To Internal Exchange Server

So we could (from my understanding of the second part you said) just set up a new service for that DNAT to include port 80 and say port 25 for the virtual smtp and use that.
Cancel
Vote Up 0 Vote Down

Cancel

SMTP Relaying

Submitted a Tech Support Case lately from the Support Portal?