Hi all. I have an interesting problem. For years, we've been passing SMTP traffic in the same way, so the existing rules for handling SMTP traffic date back from the v6 days. We just had an email kicked back to us because of an SPF fail. Ours is written to soft-fail, and evidently we've been soft-failing for years now. The inbound traffic is handled by the SMTP proxy with no problem, and let's say the external MX record points to x.x.x.131 (WAN_outgoing_smtp_traffic) for smtp.foo.bar. Also, let's say that the external interface of this firewall is x.x.x.130 (WAN). It turns out that SMTP has been coming in to 131 and leaving via the generic masqueraded address of 130, despite having a specific SNAT command that says, "for any internal IP address using SMTP, NAT outgoing to 131 (WAN_outgoing_smtp_traffic)." What gives? Why would this be happening?
Could this be related to this interesting tidbit, which I've not ever seen before, in the online documentation about SNAT, which says,
"Note – You have to add the SNAT rules before you activate the Web Filter. The UTM priorities [sic] Web Filter settings higher than SNAT rules. If you select a SNAT rule while the Web Filter is activated the rule may not work. You can activate or deactivate the Web Filter on the Web Protection > Web Filtering > Global page."
Just for fun, I turned off the SNAT command for SMTP, turned off the Web Filtering, created a new equivalent SNAT command for SMTP, turned it on, and then turned on the Web Filtering. No change.
TIA,
Brian
This thread was automatically locked due to age.
