Hi,
Currently using Mail Proxy in Simple mode, have my relay set to Host-based relay for my internal network. We're using a internal exchange server.

This is working fine however obviously with this no one can send any mail from an outside network (such as connecting through imap/smtp etc. via a phone or home computer that isn't vpn-ing in or going through OWA).

Just looking for the best way to allow such things without having a security risk; Allowing any on the host-based I could easily see being an issue. Obviously not possible to allow each individual's host network on the list.


Just wanted to know if there was another way that could be done that I'm not seeing, perhaps a way to say if it comes from the internal domain, regardless of the host address, let it send/relay through the smtp?
Thanks.

If you put "Any" into 'Host-based relay', you will create an "open relay" and will get your IP blacklisted within hours as spammers will find it quickly. The only thing that should be in there is the Host definition for your Exchange server.

If people are allowed to use email clients internally to access other email services (like Google, etc.), then you should make one or more firewall rules like:

Allow : Internal (Network) -> Email Messaging -> {Group with DNS Hosts for imap.gmail.com, smtp.gmail.com, mail.toupin.org, etc.}

I don't like to open that up generally to "Internet" unless you have an extra IP on the External interface so that you can

SNAT : Internal (Network) -> Email Messaging -> Internet : from External [Messaging] (Address)

You might want to add "VPN Pool (SSL)" or other to "Internal (Network)" in the firewall and NAT rules.

As for allowing relay without the individuals connecting to Exchange, that's possible, but why?

Cheers - Bob

__________________
ACE V7 - Astaro Preferred Partner since V3
Sophos Gold Solution Partner
www.MediaSoftUSA.com
Addicted to my iPhone!

Internal users are only using the local exchange server for email, they don't need access to other email services.

Basically due to various users using android mobile devices; the built-in "mail" apps can be configured through imap or pop. Having the smtp proxy filter mail for the exchange server as it is now blocks the devices from sending mail through smtp because they don't have a source host of the internal network that is defined in the host-based relay.

So the mobile devices connect to the exchange server's imap fine, can receive mail, etc. but when they try to send via the virtual smtp on the exchange server it gets filtered by the smtp proxy:

Ahhhh... Is the SMTP Proxy in transparent mode?

Do you have a separate public IP for the devices to reach the server (not the one that the FQDN in your MX record points to)?

Cheers - Bob

Sorry for any short responses! Posted from my iPhone.

PS Please compare your configuration to: Exchange with SMTP Proxy

__________________
ACE V7 - Astaro Preferred Partner since V3
Sophos Gold Solution Partner
www.MediaSoftUSA.com
Addicted to my iPhone!

It's not in transparent mode.
I don't have a seperate ip set up right now, I have one static ip for all connections outside to access the exchange server (it's pretty much been used strictly for OWA when outside the internal network and now is being desired to be used for those extra devices).
I do have a spare IP I could set up for it though if that's the only way to do so..


(I didn't set up the settings in this, I've come into this after the fact so just saying what's there at the moment)
ASG settings compared to that post:
- Isn't currently using the smarthost setting, is this needed?
- Global tab is set up the same
- Routing is set up the same
- Antivirus has "Reject Malware during SMTP transaction" enabled & single scan enabled
- Antispam has same & reject invalid helos, use batv, and perform spf check
- Exceptions empty
- Relay host-based relay has the internal network not just the exchange server, "Scan relayed (outgoing) messages" is enabled

The Exchange server has to have the UTM listed as its smart host, preferably in the Exchange SMTP Connector. The rest looks great!

This situation is addressed by something I've said here hundreds of times. Actually, there are several things things like that so I finally put them into a list for me to reference and copy. My Rule #2 applies here:

In general, a packet arriving at an interface is handled only by one of the following, in order:
DNATs first, then VPNs and Proxies and, finally, manual Routes and Firewall rules.

The users need a DNAT to get SMTP to Exchange from their Androids, so you have to use a different IP for the SMTP DNAT. I would suggest an FQDN like exchange.yourdomain.com that points at the additional IP. Then, you can use that for OWA and everything else, including SMTP to Exchange. You would wind up with a NAT rule like:

DNAT : Internet -> Email Messaging -> External [Exchange] (Address) : to {Exchange server}

Leave the service change blank and select auto firewall rules.

Did that work for you?

Cheers - Bob
PS You might want to tighten things up a bit and just list the services you want instead of the entire Email Messaging group - then you could include HTTP/S for OWA.

__________________
ACE V7 - Astaro Preferred Partner since V3
Sophos Gold Solution Partner
www.MediaSoftUSA.com
Addicted to my iPhone!

We currently do have a external IP and FQDN that is being used for HTTP OWA:
m2.***.k12.ma.us - 50.**.***.122

Just a little confused by what you said about the "additional" IP. Do we need another separate IP from that to do the DNAT with SMTP for the devices?

We do currently have a DNAT setup going Source (Any for internet) -> Service HTTP (port 80 for non ssl) -> 50.**.***.122 (the external IP used for OWA access) -> To Internal Exchange Server

So we could (from my understanding of the second part you said) just set up a new service for that DNAT to include port 80 and say port 25 for the virtual smtp and use that.

No, the one is fine. Just add the needed services (SMTP, etc.) to your current DNAT.

If this already works, then the following is meant only for others that read this thread. Assuming that this IP is an Additional Address named "Exchange" on the External interface, the traffic selector can't work with a regular Host definition in the traffic selector - the target must be the object created by WebAdmin when the address was defined: "External [Exchange] (Address)".

Cheers - Bob

__________________
ACE V7 - Astaro Preferred Partner since V3
Sophos Gold Solution Partner
www.MediaSoftUSA.com
Addicted to my iPhone!

Hi Bob, have been waiting for a non-crucial time here to try this so there's no interruption of email. Thanks for the info will let you know the outcome.

Hi Bob,

Here's what I did:

- Added the internal address of the ASG as a smarthost via an exchange connector on the exchange server
- Changed the DNAT rule to the following:

This did allow the devices to send and receive mail without issue however enabling this dnat rule for smtp (25) makes all mail skip the smtp proxy on the firewall (nothing is in the live log for smtp once the dnat for smtp 25 is enabled and no spam is filtered).