I’ve been looking a bit more into the mail security options in UTM, when I discovered something odd.  There was no configuration option anywhere to configure the binding of the SMTP proxy to a specific NIC/IP-address. The documentation found here for 9.2, makes no mention of how to configure this either. After some searching I found that enabling the SMTP proxy activates it on any available interface. Really?! 😯

Which is rather strange, while the service should be publicly available for it to work. It’s still strange to have it on every available IP address. I know lots of customers who are using lot’s of external IP addresses, some even with a whole /24 range. Having the service listen on all available IP addresses just doesn’t make sense to me.

It is technically possible to bind the service to a single IP address using the method described on: http://www.sophos.com/en-us/support/knowledgebase/115569.asp. But this method has the disadvantage that this setting gets overwritten every time you update your firmware. Not something you would like to have in a production environment.

However, this doesn’t mean that it will use every port 25 available though. If there’s already a SMTP (or any other service on port 25) NAT forwarding rule active, this will overrule the SMTP proxy binding. e.g: if you have IP1 through IP5, and an active NAT forwarding rule on IP4 port 25. Then after enabling SMTP proxy the proxy service will be bound to IP1, IP2, IP3 and IP5. IP4 port 25 will still be following rules configured in the NAT rule.

This, and not being able to have custom EHLO headers for a specific domain is a known feature request: http://feature.astaro.com/forums/17359-utm-formerly-asg-feature-requests/suggestions/178318-smtp-multiple-hostnames-interfaces-support. It currently has 307 votes (310 after my 3 votes 🙂 ).  For those not familiar with the voting system. more info can be found in this article.

The fact that you’re reading this probably means you’ve run into this issue. If you have a couple of votes left, use them wisely! 🙂

Categories: Sophos UTM

2 Comments

  1. Richard

    I know this is a bit old, would you happen to still have the instructions in the link you mentioned above? –> http://www.sophos.com/en-us/support/knowledgebase/115569.asp.

    This link appears to be dead now.

  2. Eric Verdurmen

    Indeed, that page seems to be gone, the way to do it:
    – SSH to your UTM and become root
    – with vi, edit this file: /var/storage/chroot-smtp/etc/exim.conf
    – edit this line, remove the # and enter your public IP address to reflect your MX record (like mx.yourdomain.com):
    local_interfaces = [UTM_IP]
    – restart your EXIM service:
    /var/mdw/scripts/smtp restart

    But remember, this setting will be overwritten after applying an update.

Leave a Reply

Your email address will not be published. Required fields are marked *