While the best option is to allow Sonar to filter your inbound mail, there will be times where you may need to bypass the mail proxy for certain reasons. Doing this is a simple process and done all via Sonar's Firewall.
The first step is ensuring you have the correct objects created in Sonar. Navigate to Network -> Objects, and make a new object for your Mail Server.
CREATING THE OBJECT
- Click "Add New" and give the object a name. Something like "SVR-EXCHANGE".
- Make sure that the "host" radio button is selected, and place in the Mail Server's IP address.
- Because you want external access to this internal server, you also have to apply an inbound NAT rule. Select "DNAT" down the bottom, and from the drop down menu, select the interface or IP that you want port 25 to hit on the outside, this IP should generally match the same one you have for your MX records.
- Because you also want to bypass the mail proxy for email going OUTBOUND as well, you will also need to add an outbound NAT property. For this, we are going to select "SNAT" and from the drop down menu, select the same IP we chose in step 3. This will ensure that mail will be received on the same IP as well as going out on the same IP. This is important, because if mail is coming in on an IP not matching your MX records, your emails will be rejected.
CREATING THE INBOUND BYPASS RULE
- In the Sonar GUI, navigate to Groups -> System -> Rules -> Access.
- Here is where we will create the bypass rule. Click "Add New" and place the following values into the respective fields:
- Sources: Any
- Destination: "Your Mail Server", or whatever you named the object for the mail server we created above.
- In Rules, select the rule "Allow SMTP". This will allow all port 25 traffic to be port forwarded to your mail server.
- Click "OK". If you've set up the inbound NAT correctly on the network object we created earlier, you should get a prompt that says "Would you like to auto-generate NAT rules?", hit "YES" to continue. This will create a NAT rule to go alongside the Access rule you are creating.
CREATING THE OUTBOUND BYPASS RULE
- We should still be in the Access Rule table where we created the inbound bypass rule. Creation of the outbound bypass rule should be the same for the most part.
- Click "Add New" and place the following values into the respective fields:
- Sources: "Your Mail Server"
- Destination: "Any"
- Rules: Allow SMTP
- As you can tell, the rule is more or less exactly the same as the rule we created for the inbound bypass, except the source and destination has been reversed. Again, when click "OK", it will prompt you to auto-generate NAT rules, and you want to say "YES".
That should be it! Both bypass rules have been implemented and should be in effect. You can test by sending an email from your internal network to an external email and see if it has been received. Be sure to also test inbound email from the outside. If you receive emails from outside and you can send emails externally successfully, the rules are working!
Please be aware, however, that email coming in and out of your network will not be filtered by Sonar.