Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 13 replies
  • Subscribers 4 subscribers
  • Views 27909 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SMTP port 25 outbound being dropped

Al Dempsey

I couldn't find a specific answer to this. So, sorry in advance if it is already answered.

Our UTM is dropping outbound TCP port 25 without any information on where the DROP is defined (logs don't have DEFAULT DROP, etc after time, before protocol). I do not have any automatic rules defined, all firewall rules have been manually created. I put a test rule at the top allowing TCP port 25 from a specific local IP to a specific external IP, no dice, initial SYN packet dropped. I even created a new service definition for TCP/UDP port 25 and set the rule to log initial packets. No logged packet in the logs, just the log about the packet being dropped by some unknown rule. Something is filtering the packets before they get to the defined (user or auto) firewall rules.

I read about SMTP proxy creating a hidden rule. Our UTM is only licensed for Network and Webserver Protection. We want to send SMTP emails from specific internal hosts to specific external hosts. 



This thread was automatically locked due to age.
Parents
  • 0

    So, is the smtp proxy turned on?

    Under Email protection > SMTP on top right hand side. Is the slider green?

  • 0 in reply to Louis-M

    Louis-M thank you for the reply.

    Our UTM is not licensed for Email Protection, so all those components are greyed out/disabled.

  • 0 in reply to Louis-M

    Yes, it is. There are rules to allow SMTP in various groups (we have things split in to multiple vlans/subnets) that weren't working, so I created the test rule right at the top. When 'Automatic firewall rules' is selected from the pull down nothing shows, when 'All' or 'User-created firewall rules' is selected the full list of defined rules shows.

    Traffic to/from the internet works. If I watch the live firewall log, I see the Default DROP rule blocking a lot of RST packets being sent from various Zabbix agents in the network to our Zabbix server, as well as the usual unwanted/unsolicited external traffic testing the perimeter.

    Thanks for the IPS heads up. When I have both live logs going (firewall and IPS) and try to telnet from/to the hosts I have defined in the test rule it times out with the firewall log showing the dropped packets, but nothing in the IPS log.

    As for Application Control, we don't have the Web Protection component, so that is all disabled/greyed out.

  • 0 in reply to Al Dempsey

    So the rule at the top you have is:

    Source: Sending host
    Source Port: any

    Destination: any
    Destination Port: tcp/25

    Logging: enabled

    There shouldn't be any reason the above won't work assuming you have your source nat or masq setup and dns configured.

    You should see a hit on the FW log when you try to send mail

  • 0 in reply to Louis-M

    Basically, with the following differences ...

    Destination: Destination host

    Destination Port: TCP/UDP 25

     

    I do not see anything in the firewall logs from the 'Logging: enabled' option. There is only the DROP log entry, which makes me think it is being dropped before the Firewall rules are processed.

    I tried enabling logging of invalid packets (I am stretching now obviously) and see those logs beside the logs for the dropped RST packets from the Zabbix agents, but nothing beside the dropped TCP port 25 packets, so that is not it.

     

    I changed the destination to ANY per your suggestion and still the same thing.

     

  • 0 in reply to Al Dempsey

    As a temporary measure, try:

    Source = your sending host
    Source port = any
    Destination port = any
    Destination = any
    Logging = yes
    Rule position = top

    That should allow any traffic from your sending host and it should be logged in that direction. Are you seeing anything there?

  • 0 in reply to Louis-M

    Louis-M,

    Well, that filled my logs up with a LOT of allowed traffic (the zabbix agent RST now passed), but not the TCP port 25.

  • 0 in reply to Al Dempsey

    Ok, we can see DNS is going there.

    I'm not sure why there is a blank space under the disallowed rule. Not seen that before. Maybe somebody else could shed some light on that?

  • 0 in reply to Louis-M

    Yeah, that is the frustrating part. It isn't giving any indication why it is being dropped/what is dropping it.

    I am going to reach out to Sophos Support and see what they say. I'll post what is discovered.

  • 0 in reply to Al Dempsey

    If you do, phone them. I once tried to do it via email and it took months. They have improved massively in the last year or so and the two occasions I have called them, they have resolved straight away. One of them was a rule in the application filter. They will remote in via 123rescue.com and want CLI access so best to get that prepped beforehand to save time.

  • 0 in reply to Louis-M

    Louis-M,

    Thanks for the insight! 

  • 0 in reply to Al Dempsey

    Al, can you confirm that you're not violating #3 in Rulz?  Show us a picture of your existing firewall rule.  Alone among the logs, the Firewall Live Log presents abbreviated information in a format easier to read quickly.  Usually, you can't troubleshoot without looking at the corresponding line from the full Firewall log file.  Please post one line corresponding to a blocked line above.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0 in reply to Al Dempsey

    Al, can you confirm that you're not violating #3 in Rulz?  Show us a picture of your existing firewall rule.  Alone among the logs, the Firewall Live Log presents abbreviated information in a format easier to read quickly.  Usually, you can't troubleshoot without looking at the corresponding line from the full Firewall log file.  Please post one line corresponding to a blocked line above.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data
Unfiltered HTML