Spam Blocker, Exchange and outgoing emails

**dlr** · 04-12-2012, 07:31 AM

I have a network running Exchange 2007 with an Edge server in the DMZ and the Hub server on the Lan. I have set up 2 Untangle servers that sit between the firewall and those servers as shwon in the attached diagram...

When the Spam Blocker Lite and/or Web Filter Lite are on, outgoing emails don't leave the Hub server, even with the option "Scan outbound (WAN) SMTP" being unchecked. So I set up the following bypass rules on both UT servers:
- Destination Address 10.165.10.6
- Destination port 25
- Protocol TCP

Email is now being delivered to the outside world but it doean't look like the Spam Filter is catching any incoming spam since the "Messages dropped" and "Messages quarantined" numbers don't change. While the numbers in "Messages passed" increase slowly, there are 3 times more than what's reported that get to the Edge server. And since Exchange on the Edge server also has an integrated spam filter, there are over 2,400 spam emails in the last 24 hours that it caught, mostly via the Block List Provider lists.

My question is, since email traffic transits through the UT server before it gets to the Edge server, why isn't Spam Blocker catching it?

Thanks

**sky-knight** · 04-12-2012, 07:42 AM

http://wiki.untangle.com/index.php/S...nge_servers.3F

The bypass rule you've listed will bypass all traffic destined for your edge Exchange server, this includes the SMTP traffic. It's too broad, you want to bypass traffic that is flowing between the two exchange servers, not everything bound for a given server.

**dlr** · 04-12-2012, 07:47 AM

So I need to put something like this?
UT Lan (Hub to Edge):
- Source Address 10.165.11.15
- Destination Address 10.165.10.6
- Destination port 25
- Protocol TCP
UT DMZ (Edge to Internet):
- Source Address 10.165.10.6
- Destination Address 0.0.0.0
- Destination port 25
- Protocol TCP

**sky-knight** · 04-12-2012, 08:07 AM

Instead of using 0.0.0.0 remove that entire flag, that rule will then exempt SMTP leaving your edge server to anywhere from filtration. You don't have to do this, as the spam blocker will auto whitelist that traffic, however I've noticed a significant performance gain by bypassing outbound SMTP traffic in some cases.

Finally, I'd also add a third rule that bypasses traffic from the Edge to the Hub. This will get both your exchange servers' SMTP communications out of Untangle.

**dlr** · 04-12-2012, 08:37 AM

Ok, I have the following 3 bypass rules:
UT Lan (Hub to Edge):
- Source Address 10.165.11.15
- Destination Address 10.165.10.6
UT DMZ (Edge to Internet):
- Source Address 10.165.10.6
- Destination port 25
- Protocol TCP
UT DMZ (Edge to Hub):
- Source Address 10.165.10.6
- Destination Address 10.165.11.15

Outgoing email is blocked at the HUB with the error: 451 4.4.0 Primary target IP address responded with: "451 5.7.3 Cannot achieve Exchange Server authentication."

**sky-knight** · 04-12-2012, 11:25 AM

Did you put those bypass rules in both Untangle's? Double check for typos?

Use the session viewer in both Untangle servers while forcing the hub server to send mail and see if you can catch the smtp session in the list. When you do, double check that the bypass column says "true". If it doesn't your rule isn't engaging because it's wrong for some reason.

**dlr** · 04-12-2012, 12:04 PM

No, I put each of the bypass rules in the corresponding UTs, the 1st rule in the Lan UT and the 2 others in the DMZ UT... The UT in the DMZ is the only one running Spam Blocker and Web Filter. The Hub server doesn't send email to the Internet, just to the Edge.

I opened Session Viewer on both UT servers, sent an email (which is still stuck in the Hub queue) and nothing pertaining to port 25 or either of the email servers is logged...

**sky-knight** · 04-12-2012, 01:22 PM

I'm assuming that ASA is the router that lets the 10 and 11 networks communicate. If this is the case, both Untangle bridges are intercepting the SMTP traffic between those Exchange services, and both servers will need at least the two bypass rules to get the communications between the exchange's out of the rack. The edge server bypass to the world is the only rule of the set that should be on a single Untangle server.

Trace the path SMTP goes through to get between the servers, You must adjust any Untangle involved.

**dlr** · 04-12-2012, 01:44 PM

I have these rules on both servers now:

Hub to Edge
- Source Address 10.165.11.15
- Destination Address 10.165.10.6

Edge to Hub
- Source Address 10.165.10.6
- Destination Address 10.165.11.15

And I have this rule on the DMZ UT
Edge to Internet
- Source Address 10.165.10.6
- Destination port 25
- Protocol TCP

The emails are still stuck in the Hub queue with the same error message: 451 4.4.0 Primary target IP address responded with: "451 5.7.3 Cannot achieve Exchange Server authentication.".
With the Web Filter and Spam Blocker turned off, I get the same error... No outgoing email.

Thanks for your time and help!

**sky-knight** · 04-12-2012, 02:08 PM

Has it worked at all with any of the bypasses?

Protect

Filter

Perform

Connect

Manage

Add-Ons

Thread: Spam Blocker, Exchange and outgoing emails

LinkBack

Thread Tools

Spam Blocker, Exchange and outgoing emails

Tags for this Thread

Posting Permissions