Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 12 replies
  • Answers 2 answers
  • Subscribers 5 subscribers
  • Views 16044 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Help with NAT for email so mail server "sees" the originating IP address of the sender/receiver

Mike Huggins

Hi

With my existing NAT rules my mail server is working fine. However it is seeing all connections as coming from my internal network (192.168.0). The issue with that is the mail server cannot stop naughty people trying to connect to my server to send spam - the server is setup to limit people sending outbound emails to 192.168.0.1 - 192.168.1.254. But since it is seeing all connections as coming from 192.168.0.1 (which is the Green NIC address on the UTM)

The email clients are setup to use the FQDN of the mail server (ie mail.mycompany.com) rather than the internal IP address of the mail server

I see that my NAT rules are doing this. How can I change or all rules, so that I can achieve what I want?

Thanks



This thread was automatically locked due to age.
Parents
  • 0

    For incoming Mails getting allowed to your internal Mailserver, you only need one single DNAT, so Anyone in Internet can reach your Mailserver via Port 25 on your Public WAN IP on your Sophos UTM Device (Which are getting forwarded to your internal Mailserver). If you work with DNAT, only the destination gets translated and your internal Mailserver can still see the real Public IP from whom those Mails are coming from.

    Additionally, you have here a FullNat Rule which NAT's Source And Destination. What's the intention of your SMTP/SMTPS FullNAT Rule? This Rule don't make any sense from my perspective?

    For outgoing Mails, you also need a Masquerading (or SNAT) Rule, so your Mailserver can send Out mails, and his private Source Address gets translated on the Public IP of your Sophos UTM.

Reply
  • 0

    For incoming Mails getting allowed to your internal Mailserver, you only need one single DNAT, so Anyone in Internet can reach your Mailserver via Port 25 on your Public WAN IP on your Sophos UTM Device (Which are getting forwarded to your internal Mailserver). If you work with DNAT, only the destination gets translated and your internal Mailserver can still see the real Public IP from whom those Mails are coming from.

    Additionally, you have here a FullNat Rule which NAT's Source And Destination. What's the intention of your SMTP/SMTPS FullNAT Rule? This Rule don't make any sense from my perspective?

    For outgoing Mails, you also need a Masquerading (or SNAT) Rule, so your Mailserver can send Out mails, and his private Source Address gets translated on the Public IP of your Sophos UTM.

Children
No Data