smtp connection behind WG?

I have two apps which want to send email and were working fine; but which are now behind a WG Firebox.
One is a simple backup program on my trusted segment, and for error and stats events it sends emails to an admin contact.
Before I had it setup to use: smtp-mail-outlook.com:587
which is commonly recommended for an smtp server. It requires user/password authentication, but all worked fine.
Now it is failing, and i am presuming it is because some of the traffic is blocked - it reports "invalid permission".(?)
The other application is a Linux server on my DMZ segment, where again I need to connect to an smtp mail-server to be able to send out email.
I tried the same server - and it fails - "Network unreachable".
I can ping that address from either segment.
(although it resolves to svc.ha-smtp.live.com (52.96.79.6))
Any hints or advice please.
TIA.

Comments

  • edited November 22

    Anything in Traffic Monitor related to this?

    The default Outgoing policy should allow out all TCP packet types, including TCP port 587.

    If you have a TCP-UDP proxy in your config, it could be intercepting outgoing SMTP.
    If you do have it, you can temporarily set it to disabled (unselect enabled), and see if your outgoing SMTP works.
    If so, you can
    1) set the SMTP section of the TCP-UDP proxy action to Allow
    or
    2) add a Custom Packet Filter for TCP port 587 to allow out this traffic without being intercepted by the TCP-UDP proxy policy.

    TCP-UDP-Proxy: General Settings
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/proxies/tcp/tcp_udp_proxy_gen_settings_c.html

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @guthrie

    I'd suggest looking at the traffic monitor on your firewall -- the logs there should give you a disposition as to what's happening to your files. The log lines should show the port, and the reason (such as unhandled internal packet, meaning there is no rule for this traffic) or ProxyDeny: some setting in the proxy is denying the traffic. This can help determine what policy you need to modify.

    If you're seeing green allow logs for that traffic, the firebox should be allowing it.

    -James Carson
    WatchGuard Customer Support

  • Thanks - I did not know what filter/policy to look for.
    Will check on the tcp-udp, and make sure logging is enabled.

  • edited November 22

    @Bruce_Briggs - Thanks, I do see an enabled policy "outgoing" TCP-UDP from (any-trusted, any-optional) to any-external for any port (:0), so seems like that wouldn't be limiting it. I will check if it is logging, and try it again.

    I don't know what this means -
    "set the SMTP section of the TCP-UDP proxy action to Allow..."
    I don't see any such property on the Outgoing TCP-UDP policy rule.

  • edited November 22

    @james.carson - I did try it and watch traffic logs but did not see anything denied, nor any apparent traffic. I tried filtering on the address of that SMTP server (from pings) and then only got a blank monitoring display, so perhaps something is not (yet) logging - although the tcp-udp policy is logging enabled, for allowed packets.
    Thanks.

  • The policy that you see is an Outgoing policy which allows out all TCP & UDP packets, and will allow out TCP port 587.
    It is not a TCP-UDP proxy policy.

    Explain your DMZ setup.
    Did you have something else in place an then swapped in the WG firewall?
    If so, details please.

    Make sure that the DMZ devices have the correct IP addr, subnet mask & default gateway & a good DNS server IP addr.

    FYI - the firewall is not a DNS server, but it can be set up to be a DNS forwarder.

    About DNS Forwarding
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/networksetup/dns_forwarding_about.html

  • My DMZ setup is I think simple, I have one web server in the DMZ (which is the machine i am trying to setup Linux email on), and everything else including my main development machine on the Trusted segment.
    Trusted = 10.0.1.*, DMZ = 10.0.2.*. Web serve is SNAT'ed static IP on the DMZ.
    All IP setup seems correct. I can ping the intended smtp server from either segment/machine.
    I don't see any default TCP-UDP proxy policy, not sure if/why I would need one.
    There are several HTTP-proxy policies and a few others on specific tcp ports.
    All DNS seems to work fine, and it does resolve the target snmp server correctly..
    It may not even be FW related, I will try to find an alternate external open (free) smtp server to try.

  • I think it is not a WG issue - but a need to properly setup the external smtp server. I changed the configuration, and it seems like now it is complaining about authentication - so I am getting through to it.

  • I got it working on my linux system - it was not a FW issue for it but sendmail configuration.
    However, I am still just using the default outgoing TCP-UDP policy, should I be changing to using a TCP-UDP proxy policy?
    Offhand it looked significantly more complex to setup.
    Thanks for the inputs an help.

  • Since you trust the emails that are being sent, there is no great value in using a SMTP proxy, which could be invoked via the TCP-UDP proxy.

    Best practice is to only allow out desired packet types, but doing so is more work.
    Many/most small sites don't do this and just use a few proxy policies at most (HTTP & HTTPS).

  • Thanks.
    I do have a proxy on those.

  • PS: what started all of this was that the Linux exim4 email program logs noted "Network unreachable", which is what made me suspect the WG firewall.
    Turns out that was not the cause, and the error message logged is just misleading - it was accessing the network, then failing.

  • As someone a long time ago said on the boards - not all problems are caused by the firewall.

    Glad you got this sorted.
Sign In to comment.