Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 12 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 45649 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SMTP Email Outbound Not Working

Leebtish

Hi all,

Before I raise a call with Sophos, wanted to reach out to the community. We have an XG 230 and so far so good regarding the set up. I'm trying to get SMTP email to flow through the firewall and it's not working not matter what I try.

We have one exchange 2010 server behind the XG that sends email to a smart host (mimecast) using a send connector in exchange. When it's connected to the our old firewall it works fine with no issues, but as soon as I point it to the XG, SMTP outbound mail is queued on the exchange server. 

I set up a rule to forward SMTP traffic to the exchange server inbound and that works fine, but for some reason SMTP outbound is not working. Because we're using mimecast we have no need for SMTP scanning so I've set email protection to legacy mode. I've create a firewall rule (user/network) to allow SMTP traffic (port 25) from the exchange server to the WAN but no joy. 

The only time I have seen outbound mail working is when email protection was switched to MTA but as mentioned, we don't want to use this as we don't require any SMTP scanning. I'm sure this is something pretty simple to resolve but I just can't figure out why this is not working. I've tried changing the rule to allow source and destination networks to ANY but still no luck.

Any suggestions? Thanks in advance.



This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    try adding port 465 and 587 for your SMTPs in your firewall rule.

    Ian

  • 0 in reply to rfcat_vk

    In addition:

    if your XG is operating in legacy mode and you would like to scan the traffic, create a Business Application rule > choose Email Client Template and enable SMTP/S scanning.

    XG will filter the traffic and also allow the outgoing traffic.

    Of course, it is better to use XG in MTA mode.

    Regards

  • 0 in reply to lferrara

    Hi there,

    I did attempt to create a business application rule using the email SMTP template but the rule asks for a protected server to forward traffic to. Isn't this for inbound mail  or does the creation of this rule simply allow he outgoing traffic.

    Thanks

  • 0 in reply to lferrara

    Just an update on this. So I tried setting the XG back to MTA mode and now Outbound mail works but inbound mail is failing LOL :)

    I checked mimecast and I now receive the error Relay Access Denied. Looks like a configuration issue with MTA now.

  • 0 in reply to lferrara

    Hi Luk,

    Yes I followed the KB article exactly. I have set up the policy and enabled SMTP relay for LAN and WAN in device access. Our exchange server not in the DMZ.

    Thanks

    Lee 

  • 0 in reply to lferrara

    Well I thought I had this resolved. I changed the upstream host in relay settings to ANY instead of the IP ranges for our smart host (mimecast) and inbound mail started flowing. However, emails were being bounced with the error "530 5.7.1 Client was not authenticated". To resolve this error  I had to configure the default receive connector on the exchange server to allow anonymous users on the permissions tab. Finally email was flowing in and out successfully.

    Why the XG requires the upstream host to be set to ANY rather than the IP ranges of the smart host (as per the guide) I have no idea. 

    However, I noticed outbound email was being delivered directly to the recipient and it needs to go to the smart host first. Somehow the XG is delivering email to the recipient directly even though the exchange tracking logs show the email is being transferred to the smart host IP ranges. The flow should be exchange > XG > smart host but it's currently exchange > XG > recipient

    I'm assuming somehow the XG is ignoring the information from the exchange server and relaying directly. Can't believe it's this difficult to get SMTP traffic to flow through the firewall.

    Anyone out there have any more ideas on this? I'll have to raise this with Sophos support otherwise. Thanks for all the help so far!

  • 0 in reply to Leebtish

    Leebtish,

    if the upstream server requires authentication, I am sure if the Allow relay authentication will work for relay from and relay to. The simplest way is to create a smtp receive connector on exchange to allow anonymous users from that IP.

    This is not an elegant way, but it works.

    Sophos should clarify this aspect.

    Thanks

  • 0 in reply to lferrara

    Hi Luk,

    Thanks for the information. I managed to finally get this working and the solution was very simple. I created and Outbound rule using this KB - https://community.sophos.com/kb/en-us/123663

    I had already created a user/ network rule with the same settings but for some reason it wasn't working. With the above rule it works fine now. Just wish Sophos would update the template name to show it's for SMTP traffic as well and not only POP3 / IMAP.

    Thanks for the help!

    Lee

Reply
  • 0 in reply to lferrara

    Hi Luk,

    Thanks for the information. I managed to finally get this working and the solution was very simple. I created and Outbound rule using this KB - https://community.sophos.com/kb/en-us/123663

    I had already created a user/ network rule with the same settings but for some reason it wasn't working. With the above rule it works fine now. Just wish Sophos would update the template name to show it's for SMTP traffic as well and not only POP3 / IMAP.

    Thanks for the help!

    Lee

Children