Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 16 replies
  • Subscribers 28 subscribers
  • Views 9452 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG smtp mail proxy does not scan port 587 how to add

rfcat_vk

Hi folks,

after upgrading from v17.5 beta2 to v17-5 GA my XG failed to send daily reports and backups. After a number of changes Beta Support asked for access to my XG, since then my reports and backup have been working. No advice to what was changed so far.

 do not think I have an issue with my LAN devices sending bad stuff through mail system because they have an Sophos home anti- installed for scanning. Not so sure about the mobile devices and how to get hem to use the certificates on mail. Yes, I have installed the certificates, but the devices fail to connect when using wifi.

I started to investigate why the reports do not show any smtp/s traffic even though I have normal (network) firewall rules in place to specifically scan smtp/s traffic. So this morning I created new business rules to scan map/s and smtp/s traffic which after some CA issues started to work correctly on my MBP using MAC mail. Outgoing traffic shows in the reports but will need a couple of days to see the full benefit in the reports.

So being brave (last time I could not get this to work on my wife's MBP) I tried my wife's MBP using MS Outlook and the messages were all sent and received on a couple of devices, but no SMTP/S in the log viewer or reports. So I tried her MAC Mail and bingo entries in logviewer. So further investigation into the configuration of MS Outlook found it default to port 587 which is not scanned by the XG transparent mail proxy. From memory last time I could not get MS Outlook to play kindly with smtp/s scanning (transparent proxy), did not like the certificate but worked with https scanning.

So the all important question is how to add port 587 to the transparent mail proxy?

Ian



This thread was automatically locked due to age.
Parents Reply
  • 0 in reply to rfcat_vk

    Hey Flo,

    I have been experimenting with mail security on the XG and the MBP. I think I have finally figured out why there are so many 0B entries on the mail reports, they appear to be when the LAN devices connect to the various ISP mail servers to check for mail and there isn't any eg just handshaking results.

    Interesting thing about port 587, even though it has tls/ssl enabled on the mail client the XG treats it as SMTP, I confirmed this by disabling SMTP checking in the mail rule. Reports it as SMTPs.

    Very strange in my humble option?

    Ian

Children
  • 0 in reply to rfcat_vk

    Hey Ian,

    Is "Disable legacy TLS protocols" enabled in your SMTP TLS configuration?

    Thanks,

  • 0 in reply to rfcat_vk

    Could you re-test by enabling SMTP scanning but with "Disable legacy TLS protocols" disabled (unchecked)?

    Thanks,

  • 0 in reply to FloSupport

    Hi Flo,

    I unticked the box on smtp and the mail was sent. The loviewer showed it as smtps. So I tried disabling smtp scanning in the mail rule and the messages failed. Re-enabled smtp scanning and the messages went through. That sort of strange behaviour makes debugging a little difficult.

    So, what this test is stating is that MAC mail smtp 587 is using an invalid or insecure TLS where as MAC mail IMAPS is using a secure version of TLS?

    Ian

  • +1 in reply to rfcat_vk

    Hi Flo and community,

    my apologies for wasting your time with this thread because I did not test properly before creating the thread.

    The issue is with one of the mail servers I am using.

    I finally woke this morning and tested the connection via my phone hotspot with the same failure in MAC Mail to one ISP, the others work fine.

    Ian

  • 0 in reply to rfcat_vk

    Hi together,

    thanks for this thread. With the KB article I managed to get log information for SMTP on port 587 finally. :-) (Why is this not the default port for SMTPS?)

    However I've discovered another strange behaviour, which might be the same problem rfcat_vk discovered:

    The macOS Mail connection check for SMTPS on port 587 is ONLY working if BOTH, SMTP- and SMTPS-scanning, are enabled in the Business Rule.

    If you disable one of them, the connection is not working anymore. It doesn't matter which one is disabled.

    Thanks and best regards

    Dom Nik

  • 0 in reply to Dom Nik

    Hi Dom,

    and just to add further, the reports show 587 as SMTP, but the log viewer shows it as SMTPS.

    My wife's MAC using MS outlook on port 587 works correctly, but does not report. XG sends its reports using 587 with STARTTLS correctly.

     

    Ian