Inbound EMails being proxied

cash5150 · ‎01-06-2018

Hey Guys,

I just setup this Fortigate 60C. I upgraded the os to 5.2. I created a VIP and then created a policy. This is for Port 25 and is being used to simply forward port 25 traffic to my mail filter.

I noticed in my message tracking logs that External Emails Office 365 (And other senders) are being proxied by the fortigate instead of just being NAT'd.

I was not expecting the Fortigate to Proxy SMTP Traffic inbound (or outbound). How can I disable this? The reason why this is bad is because my Symantec Messaging Gateway thinks inbound emails are now all of the sudden outbound emails which causes freaky policy issues.

Thanks,

Robert

ede_pfau · ‎01-07-2018

Hi,

and welcome to the forums.

A VIP only changes the destination address. You probably have enabled 'NAT' in the incoming policy which causes the FGT to NAT the source address as well. Please check this first.

Ede

"Kernel panic: Aiee, killing interrupt handler!"

cash5150 · ‎01-07-2018

I do have NAT Enabled but that shouldn't cause the Source IP address to change from an External IP to the Firewall's IP. That sounds like proxying to me.

cash5150 · ‎01-09-2018

Guys

Any help here? I discovered today that my mail relay has been being used as an open relay because the IP address 192.168.1.225 FG firewall is listed as an internal IP (due to it being internal). This caused my relay to think all inbound emails were coming from inside my network.

I then locked down SMTP from anything but my networks external IP address, this also didn't work, due to the firewall once again proxying all traffic from the WAN to >> Port 25 internally.

I cant be the first person to have had this problem so I am clearly doing something wrong. Can anyone provide assistance here?

Robert

cash5150 · ‎01-09-2018

Ok I got this figured out. it was as you had originally suggested, I had NAT enabled in the policy. Previously most firewalls I worked with either did NAT or Route and no other way. If you disabled NAT it was "System Wide" not like the fortigate which does policy based.

Thanks,

Robert

ede_pfau · ‎01-14-2018

Glad you've fixed this finally. I tried to explain what NAT does in a FGT in my post. Basically the FGT is a transparent proxy for all traffic, does routing and optionally NATs addresses. If you've got the time have a look at the FortiOS Handbook. The introductory chapters explain the general design quite well.

Ede

"Kernel panic: Aiee, killing interrupt handler!"

cash5150 · ‎01-07-2018

This is what I found for changing flow mode:

http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-whats-new-54/Top_ProxyFlowPerVDOM.htm

I am running OS 5.2 though so I am not sure if my 60C supports those same options.

cash5150 · ‎01-07-2018

Any suggestions here? the email in the screenshot is from office 365, the message was sent from EOP to my environment, the source IP address should have been a publicly routable address and the 192.168.1.225 which is the internal IP of the firewall.