How to forward all SMTP traffic to Email security device behind SonicWall firewall

Description

How to forward all the SMTP traffic to Email security device behind SonicWall UTM appliance

Resolution for SonicOS 6.5

This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.

Image

1. SonicWall firewall forwards all incoming email traffic to the Email Security Device.

2. Email security device filter's SPAM and then forwards all the emails to Email server in the network.

3. Email server is configured to forward all outgoing emails through the Email Security.

4. Email Security Device forwards all the emails received from the Mail server back to the SonicWall firewall to send out to the destination (Internet).

Image

1. SonicWall firewall forwards all incoming email traffic to the Email Security Device.

2. Email security device filter's SPAM and then forwards all the emails to Email server in the network.

3. Email Server directly forwards all outgoing emails to the SonicWall firewall to send out to the destination (Internet).

 

Scenario 1:

This type of scenario is simple; because all the Incoming and Outgoing SMTP traffic is through the Email Security device. All we need to do is forward the SMTP traffic (port 25) to the Email Security device (Port Forwarding). You may refer the following articles to accomplish this task:

KBID 7027 UTM: How to quickly open ports (port forwarding) using wizards? (SonicOS Enhanced)

 

Scenario 2:

This scenario is tricky; because all the Incoming SMTP traffic is to be forwarded to Email Security device and Outgoing SMTP traffic directly through the SonicWall device.

Deployment Steps:

Step 1: Creating the necessary Address Objects
Step 2: Creating an Inbound NAT policy to forward SMTP traffic to the Email security device.
Step 3: Creating an Out-bound NAT policy to forward all SMTP traffic coming from the Email Server out to the destination (Internet).
Step 4: Creating a Firewall Access Rule from WAN > Zone Access Rules to allow SMTP traffic from Internet to the Private network (Eg: LAN / DMZ)

See Also: When and How to Define Loopback NAT Policy.

 

Step 1: Creating the necessary Address Objects.

Create Three address objects; For Email Security device, Email Server and Email Service Public IP.

 

Image

 

Step 2: Creating an Inbound NAT policy to forward SMTP traffic to the Email security device.

 

1. Navigate to Rules > NAT Policies.
2. Click the Add a new NAT Policy button and chose the following settings from the drop-down menu:

Understanding how to use NAT policies starts with the construction of an IP packet. Every packet contains addressing information that allows the packet to get to its destination, and for the destination to respond to the original requester. The packet contains (among other things) the requester's IP address, the protocol information of the requestor, and the destination's IP address. The NAT Policies engine in SonicOS Enhanced can inspect the relevant portions of the packet and can dynamically rewrite the information in specified fields for incoming, as well as outgoing traffic.

Note: To Add custom port in SonicOS Enhanced refer KBID 7133

 

Image

 

Step 3: Creating an Out-bound NAT policy so that the Email Server can send SMTP traffic directly to the destination (Internet).

 

Image

 

Step 4: Creating a Firewall Access Rule from WAN > Zone Access Rules to allow SMTP traffic from Internet to the Private network.

1. Click Rules | Access Rules tab.
2. Select the type of view in the View Style section and go to WAN to LAN access rules.
3. Click Add a new entry and create the rule by entering the following into the fields:

Caution: The ability to define network access rules is a very powerful tool. Using custom access rules can disable firewall protection or block all access to the Internet. Use caution when creating or deleting network access rules.

 

Image

 

4. Under the Advanced tab, you can leave the  Inactivity Timeout in Minutes  at 15 minutes. Some protocols, such as Telnet, FTP, SSH, VNC and RDP can take advantage of longer timeouts where increased values like 30 or 60 minutescan be tried with caution in those cases. Longer timeout values will not help at all for HTTP or HTTPS.

5: Click OK.

See Also:

Loopback NAT Policy:

If you wish to access this server from other internal zones using the Public IP address of the server consider creating a Loopback NAT Policy.

  • Original Source: Firewalled Subnets 
  • Translated Source: EmailService Public IP
  • Original Destination: EmailService Public IP
  • Translated Destination: Email Security Device
  • Original Service: SMTP (Send Mail) 
  • Translated Service: Original
  • Inbound Interface: Any
  • Outbound Interface: Any
  • Comment: Loopback policy
  • Enable NAT Policy: Checked
  • Create a reflexive policy: unchecked

 

Resolution for SonicOS 6.2 and Below

The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.

Image

1. SonicWall firewall forwards all incoming email traffic to the Email Security Device.

2. Email security device filter's SPAM and then forwards all the emails to Email server in the network.

3. Email server is configured to forward all outgoing emails through the Email Security.

4. Email Security Device forwards all the emails received from the Mail server back to the SonicWall firewall to send out to the destination (Internet).

Image

1. SonicWall firewall forwards all incoming email traffic to the Email Security Device.

2. Email security device filter's SPAM and then forwards all the emails to Email server in the network.

3. Email Server directly forwards all outgoing emails to the SonicWall firewall to send out to the destination (Internet).

 

Scenario 1:

This type of scenario is simple; because all the Incoming and Outgoing SMTP traffic is through the Email Security device. All we need to do is forward the SMTP traffic (port 25) to the Email Security device (Port Forwarding). You may refer the following articles to accomplish this task:

KBID 7027 UTM: How to quickly open ports (port forwarding) using wizards? (SonicOS Enhanced)

Scenario 2:

This scenario is tricky; because all the Incoming SMTP traffic is to be forwarded to Email Security device and Outgoing SMTP traffic directly through the SonicWall device.

Deployment Steps:

Step 1: Creating the necessary Address Objects
Step 2: Creating an Inbound NAT policy to forward SMTP traffic to the Email security device.
Step 3: Creating an Out-bound NAT policy to forward all SMTP traffic coming from the Email Server out to the destination (Internet).
Step 4: Creating a Firewall Access Rule from WAN > Zone Access Rules to allow SMTP traffic from Internet to the Private network (Eg: LAN / DMZ)

See Also: When and How to Define Loopback NAT Policy.

Step 1: Creating the necessary Address Objects.

Create Three address objects; For Email Security device, Email Server and Email Service Public IP.

 

Image

Address Object for Email Security device (Eg: on LAN)

Name: Email Security device 
Zone Assignment: LAN  
Type: Host   
IP Address: 192.168.168.100

Image

Address Object for Email Server (Eg: on LAN)

Name: Mail Server 
Zone Assignment: LAN  
Type: Host   
IP Address: 192.168.168.115

Image

Address Object for Email Server Public IP

Name: EmailService Public IP
Zone Assignment: WAN  
Type: Host   
IP Address: 2.2.2.2


Step 2: Creating an Inbound NAT policy to forward SMTP traffic to the Email security device.

1. Select Network > NAT Policies.
2. Click the Add a new NAT Policy button and chose the following settings from the drop-down menu:

Understanding how to use NAT policies starts with the construction of an IP packet. Every packet contains addressing information that allows the packet to get to its destination, and for the destination to respond to the original requester. The packet contains (among other things) the requester's IP address, the protocol information of the requestor, and the destination's IP address. The NAT Policies engine in SonicOS Enhanced can inspect the relevant portions of the packet and can dynamically rewrite the information in specified fields for incoming, as well as outgoing traffic.

Note: To Add custom port in SonicOS Enhanced refer KBID 7133

 

Adding Inbound NAT Policy

Original Source: Any
Translated Source: Original
Original DestinationEmailService Public IP
Translated Destination: Email Security Device
Original Service: SMTP (Send E-mail)
Translated Service: Original
Inbound Interface: X1
Outbound Interface: Any
Comment:
Enable NAT Policy: Checked
Create a reflexive policyUnchecked

Image


Step 3: Creating an Out-bound NAT policy so that the Email Server can send SMTP traffic directly to the destination (Internet).

 

Adding Out-Bound NAT Policy

Original Source: Mail Server
Translated Source: EmailServer Public IP
Original Destination: Any
Translated Destination: Original
Original Service: SMTP (Send E-mail)
Translated Service: Original
Inbound Interface: Any
Outbound Interface: Any
Comment:
Enable NAT Policy: Checked

Image

Step 4: Creating a Firewall Access Rule from WAN > Zone Access Rules to allow SMTP traffic from Internet to the Private network.

1. Click Firewall > Access Rules tab.
2. Select the type of view in the View Style section and go to WAN to LAN access rules.
3. Click Add a new entry and create the rule by entering the following into the fields:

Caution: The ability to define network access rules is a very powerful tool. Using custom access rules can disable firewall protection or block all access to the Internet. Use caution when creating or deleting network access rules.

 

Action: Allow 
From Zone: WAN
To Zone: LAN
Service: SMTP (Send E-Mail)
Source: Any 
Destination: EmailService Public IP 
Users Allowed: All
Schedule: Always on
Enable Logging: checked
Allow Fragmented Packets: checked

Image

4. Under the Advanced tab, you can leave the ?????Inactivity Timeout in Minutes??? at 15 minutes. Some protocols, such as Telnet, FTP, SSH, VNC and RDP can take advantage of longer timeouts where increased values like 30 or 60 minutes can be tried with caution in those cases. Longer timeout values will not help at all for HTTP or HTTPS.

5: Click OK.

See Also:

Loopback NAT Policy:

If you wish to access this server from other internal zones using the Public IP address of the server consider creating a Loopback NAT Policy.

  • Original Source: Firewalled Subnets 
  • Translated Source: EmailService Public IP
  • Original Destination: EmailService Public IP
  • Translated Destination: Email Security Device
  • Original Service: SMTP (Send Mail) 
  • Translated Service: Original
  • Inbound Interface: Any
  • Outbound Interface: Any
  • Comment: Loopback policy
  • Enable NAT Policy: Checked
  • Create a reflexive policy: unchecked

Related Articles

  • How to configure Link Aggregation
    Read More
  • Web Proxy Forwarding is not Supported to a Server on the LAN
    Read More
  • How to block ICMP (Ping ) using Application control
    Read More

Categories

Firewalls
SonicWall NSA Series
Firewalls
SonicWall SuperMassive 9000 Series
Firewalls
SonicWall SuperMassive E10000 Series
Firewalls
TZ Series
not finding your answers?
Ask the Community