Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 13 replies
  • Subscribers 4 subscribers
  • Views 27912 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SMTP port 25 outbound being dropped

Al Dempsey

I couldn't find a specific answer to this. So, sorry in advance if it is already answered.

Our UTM is dropping outbound TCP port 25 without any information on where the DROP is defined (logs don't have DEFAULT DROP, etc after time, before protocol). I do not have any automatic rules defined, all firewall rules have been manually created. I put a test rule at the top allowing TCP port 25 from a specific local IP to a specific external IP, no dice, initial SYN packet dropped. I even created a new service definition for TCP/UDP port 25 and set the rule to log initial packets. No logged packet in the logs, just the log about the packet being dropped by some unknown rule. Something is filtering the packets before they get to the defined (user or auto) firewall rules.

I read about SMTP proxy creating a hidden rule. Our UTM is only licensed for Network and Webserver Protection. We want to send SMTP emails from specific internal hosts to specific external hosts. 



This thread was automatically locked due to age.
Parents
  • 0

    So, is the smtp proxy turned on?

    Under Email protection > SMTP on top right hand side. Is the slider green?

  • 0 in reply to Louis-M

    Louis-M thank you for the reply.

    Our UTM is not licensed for Email Protection, so all those components are greyed out/disabled.

  • 0 in reply to Al Dempsey

    Ok, so the test rule is number 1? And traffic is flowing to the internet?

    Have you checked the intrusion and application log too? I had a case where the FW was showing http traffic passing but it was being blocked by the application filter.

  • 0 in reply to Louis-M

    Yes, it is. There are rules to allow SMTP in various groups (we have things split in to multiple vlans/subnets) that weren't working, so I created the test rule right at the top. When 'Automatic firewall rules' is selected from the pull down nothing shows, when 'All' or 'User-created firewall rules' is selected the full list of defined rules shows.

    Traffic to/from the internet works. If I watch the live firewall log, I see the Default DROP rule blocking a lot of RST packets being sent from various Zabbix agents in the network to our Zabbix server, as well as the usual unwanted/unsolicited external traffic testing the perimeter.

    Thanks for the IPS heads up. When I have both live logs going (firewall and IPS) and try to telnet from/to the hosts I have defined in the test rule it times out with the firewall log showing the dropped packets, but nothing in the IPS log.

    As for Application Control, we don't have the Web Protection component, so that is all disabled/greyed out.

  • 0 in reply to Al Dempsey

    So the rule at the top you have is:

    Source: Sending host
    Source Port: any

    Destination: any
    Destination Port: tcp/25

    Logging: enabled

    There shouldn't be any reason the above won't work assuming you have your source nat or masq setup and dns configured.

    You should see a hit on the FW log when you try to send mail

  • 0 in reply to Louis-M

    Basically, with the following differences ...

    Destination: Destination host

    Destination Port: TCP/UDP 25

     

    I do not see anything in the firewall logs from the 'Logging: enabled' option. There is only the DROP log entry, which makes me think it is being dropped before the Firewall rules are processed.

    I tried enabling logging of invalid packets (I am stretching now obviously) and see those logs beside the logs for the dropped RST packets from the Zabbix agents, but nothing beside the dropped TCP port 25 packets, so that is not it.

     

    I changed the destination to ANY per your suggestion and still the same thing.

     

  • 0 in reply to Al Dempsey

    As a temporary measure, try:

    Source = your sending host
    Source port = any
    Destination port = any
    Destination = any
    Logging = yes
    Rule position = top

    That should allow any traffic from your sending host and it should be logged in that direction. Are you seeing anything there?

Reply
  • 0 in reply to Al Dempsey

    As a temporary measure, try:

    Source = your sending host
    Source port = any
    Destination port = any
    Destination = any
    Logging = yes
    Rule position = top

    That should allow any traffic from your sending host and it should be logged in that direction. Are you seeing anything there?

Children
Unfiltered HTML