Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 15 replies
  • Subscribers 27 subscribers
  • Views 4008 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG and email

rfcat_vk

Hi folks,

email on the XG is a contentious issue to a number of people, me included.

My XG email notifications is setup in legacy mode.

What works

1/. daily backups

2/. daily reports.

 

What does not work

1/. notifications

QUEUED for scanning but never sent since MR-4

The XG mail messages are all sent using smtp according to the daily report regardless that the notifications setting is configured to use either 465 or 587 with either SSL or TLS.

 

User email

My wife and I have 6 email addresses on 3 different email servers. The software is MS-OUTLOOK on one MBP, MAC mail on two MBPs, iPad and iPhone. One MBP uses MAC mail and outlook.

I have a business rule to scan IMAPS. SMTP and SMTPS which point at the various email servers.

Recently the email system failed along with other functions on the XG which I have not been able to replicate. 

Previously I had spent considerable time investigating why email did not work reliably on the various devices. Eventually I was able to get email working stably on all devices. After the recent issues one of my my wife's outlook accounts would no longer send mail. Errors include, fail to connect, server timeout, server does not use secure connections, serve does not respond.

I have not been able to identify any failed messages in the XG logs.

I have temporarily used one ISP mail server for all out going messages, this only works behind the XG, once we go on holidays I have to reset the send accounts to the correct servers otherwise their mail fails because of external relay not allowed.

I have tried using using various ports 465 and 587. XG business rule does not recognise 587 as a valid email port. According to the RFC 587 is the valid port and 465 was an interim port. You are not able to change which ports are support by the mail scanning business rule.

The various mail servers use 4675 with SSL or 587 with TLS.

There will be another post in this thread shortly covering mail reporting.

Ian



This thread was automatically locked due to age.
  • 0

    Hi  

    I understand your concern in this post and the previous post you have shared.

    Can you please try to add SMTP port for scanning?- https://community.sophos.com/kb/en-us/123120

    Please provide the screenshot of the configuration on the notification and obscure the mail address only except the domain in the email address. 

    On the XG firewall run the command nslookup -q=mx <domain> and share the output as well.

     

  • 0 in reply to Keyur

    Hi Keyur,

    I have followed those instructions in the past, but repeated them again. There is an interesting issue with the mail service on the XG, it cannot resolve the FQDN of my wife web site mail server, but my MBP can resolve the the FQDN. Further I made some changes to the mail notification settings yesterday to see what would happen, the result is the daily messages are queued but never sent. The XG GUI reports show the messages as being sent.

    I have since changed the settings and the messages are delivered and again the log viewer entries are odd, some show message accepted and other just show message delivered.

    Please see screen shots below.

     

     

     

    Ian

  • 0 in reply to rfcat_vk

    Further updates - more pretty pictures of email failures. This is for a family of two with 6 email accounts on 2 different ISPs.

    Ian

  • 0

    Email scanning seems problematic for me too. I have another post regarding an issue I'm having with not being able to send any emails out from Sophos XG itself using an external email server.

    On a different note, I'm a bit confused if Sophos XG is actually doing anything for my emails. I have the Transparent Proxy mode setup and in the Log Viewer, I can see email traffic being scanned and marked as clean or spam. However, when I reference this article (https://community.sophos.com/kb/en-us/133882) and check my email message headers, I do not see anything related to X-CTCH-* or Sophos. Does this only occur in MTA mode?

    I've also noticed in the "spam" policy in the Email settings it mentions anything marked as spam should have an action of adding a Prefix subject of "Spam:", but I never see that occur despite seeing emails being marked as spam in the Log Viewer. For what it's worth, my mail traffic summary looks similar to rfkat_vk's.

  • 0 in reply to shred

    Hi Shred,

    the XG has actually caught a virus in one of my wife's messages sometime ago. All sent messages from the XG are classified as SMTP even though the notification  is setup for SMTPS.

    This was supposed to be fixed a number  of MRs ago.

    Roll on v18

  • 0 in reply to shred

    Hi  

    X-CTCH string will include in the mail header if the email has been scanned via SMTP/S scanning applied in the firewall.

    It will indicate that scanning has been performed and added keyword indicates the status of the scanning as per the details provided in the community thread.

  • 0 in reply to Keyur

    Keyur said:
    Hi  

    X-CTCH string will include in the mail header if the email has been scanned via SMTP/S scanning applied in the firewall.

    It will indicate that scanning has been performed and added keyword indicates the status of the scanning as per the details provided in the community thread.

    Yeah, I understand that.

    What I’m saying is those X-CTCH strings are not in the mail header even though the Log Viewer indicates the emails I’m viewing the headers for have been scanned. Additionally, emails that are being identified as spam in the Log Viewer do not get their subject prefix modified as I mentioned in my original post.

  • 0 in reply to shred

    Hi  

    if that's the case and emails are not being scanned or Anti-Spam module is not working as expected, I would recommend contacting technical support and open a service request to investigate the issue further. I am sure the issue would be resolved.

  • 0 in reply to Keyur

    Unfortunately I can't get support since I'm on Sophos XG Home. Here's a Log Viewer entry of an email which indicates the email was scanned:

    2019-09-11 11:13:26Emailmessageid="15003" log_type="Anti-Spam" log_component="IMAPS" log_subtype="Clean" status="" fw_rule_id="6" user="" policy_name="Default" sender="News@InsideApple.Apple.com" recipient="my@email.com" subject="Upgrade to a new iPhone. Last chance to get ready." message_id="" email_size="36218" action="Accept" reason="Mail is Clean" host="InsideApple.Apple.com" domain="icloud.com" src_ip="XXX.XX.XX.XX" src_country="" dst_ip="XXX.XX.XX.XX" dst_country="" protocol="TCP" src_port="54571" dst_port="993" bytes_sent="0" bytes_received="0" quarantine_reason="Other"

    Here is the full header from that same email that does not contain any of the headers from Sophos (heavily redacted):

    X-Business-Group: ⁨cbx_wlm⁩
    X-Attach-Flag: ⁨N⁩
    List-Unsubscribe: ⁨<mynews.apple.com/subscriptions
    Original-Recipient: ⁨rfc822;my@email.com⁩
    Return-Path: ⁨<n_i_bounces@insideapple.apple.com>⁩
    X-Evs: ⁨BYPASS⁩
    Mime-Version: ⁨1.0⁩
    X-Dkim_Sign_Required: ⁨YES⁩
    ⁨<1972982512.1397428112.1568224967872@Insideapple.apple.com>⁩
    X-Sent-To: ⁨my@email.com,2,redacted
    Dkim-Signature: ⁨v=1; a=rsa-sha256; c=relaxed/relaxed; d=insideapple.apple.com; s=insideapple0517; t=1568224967; redacted; h=Date:From:To:Message-ID:Subject:Content-Type; b=D2z+1RkekINyredacted U6hV/redacted
    X-Emailtype-Id: ⁨1005005461⁩
    X-Txn_Id: ⁨redacted
    Content-Type: ⁨multipart/alternative; boundary="----=_Part_1397428108_541670826.1568224967872"⁩
    X-Mp: ⁨d⁩
    X-Broadcast-Id: ⁨187938⁩
    Received: ⁨from st11p00im-bulkin002.me.com ([17.172.80.198]) by ms23551.mac.com (Oracle Communications Messaging Server 8.0.2.3.20180629 64bit (built Jun 29 2018)) with ESMTP id <0PXO006FTI4O0X90@ms23551.mac.com> for my@email.com; Wed, 11 Sep 2019 18:02:48 +0000 (GMT)⁩
    Received: ⁨from rn2-msbadger18105.apple.com (unknown [17.179.250.222]) by st11p00im-bulkin002.me.com (Postfix) with ESMTPS id EDBA3F400D5 for <my@email.com>; Wed, 11 Sep 2019 18:02:47 +0000 (UTC)

    Something doesn't add up.

  • 0 in reply to shred

    Hi  

    Actual header used for Email Recipient in POP/IMAP can be examined in received email by analyzing its headers using an email client like outlook, thunderbird by navigating to Message options.