Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 15 replies
  • Subscribers 27 subscribers
  • Views 4008 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG and email

rfcat_vk

Hi folks,

email on the XG is a contentious issue to a number of people, me included.

My XG email notifications is setup in legacy mode.

What works

1/. daily backups

2/. daily reports.

 

What does not work

1/. notifications

QUEUED for scanning but never sent since MR-4

The XG mail messages are all sent using smtp according to the daily report regardless that the notifications setting is configured to use either 465 or 587 with either SSL or TLS.

 

User email

My wife and I have 6 email addresses on 3 different email servers. The software is MS-OUTLOOK on one MBP, MAC mail on two MBPs, iPad and iPhone. One MBP uses MAC mail and outlook.

I have a business rule to scan IMAPS. SMTP and SMTPS which point at the various email servers.

Recently the email system failed along with other functions on the XG which I have not been able to replicate. 

Previously I had spent considerable time investigating why email did not work reliably on the various devices. Eventually I was able to get email working stably on all devices. After the recent issues one of my my wife's outlook accounts would no longer send mail. Errors include, fail to connect, server timeout, server does not use secure connections, serve does not respond.

I have not been able to identify any failed messages in the XG logs.

I have temporarily used one ISP mail server for all out going messages, this only works behind the XG, once we go on holidays I have to reset the send accounts to the correct servers otherwise their mail fails because of external relay not allowed.

I have tried using using various ports 465 and 587. XG business rule does not recognise 587 as a valid email port. According to the RFC 587 is the valid port and 465 was an interim port. You are not able to change which ports are support by the mail scanning business rule.

The various mail servers use 4675 with SSL or 587 with TLS.

There will be another post in this thread shortly covering mail reporting.

Ian



This thread was automatically locked due to age.
Parents
  • 0

    Email scanning seems problematic for me too. I have another post regarding an issue I'm having with not being able to send any emails out from Sophos XG itself using an external email server.

    On a different note, I'm a bit confused if Sophos XG is actually doing anything for my emails. I have the Transparent Proxy mode setup and in the Log Viewer, I can see email traffic being scanned and marked as clean or spam. However, when I reference this article (https://community.sophos.com/kb/en-us/133882) and check my email message headers, I do not see anything related to X-CTCH-* or Sophos. Does this only occur in MTA mode?

    I've also noticed in the "spam" policy in the Email settings it mentions anything marked as spam should have an action of adding a Prefix subject of "Spam:", but I never see that occur despite seeing emails being marked as spam in the Log Viewer. For what it's worth, my mail traffic summary looks similar to rfkat_vk's.

Reply
  • 0

    Email scanning seems problematic for me too. I have another post regarding an issue I'm having with not being able to send any emails out from Sophos XG itself using an external email server.

    On a different note, I'm a bit confused if Sophos XG is actually doing anything for my emails. I have the Transparent Proxy mode setup and in the Log Viewer, I can see email traffic being scanned and marked as clean or spam. However, when I reference this article (https://community.sophos.com/kb/en-us/133882) and check my email message headers, I do not see anything related to X-CTCH-* or Sophos. Does this only occur in MTA mode?

    I've also noticed in the "spam" policy in the Email settings it mentions anything marked as spam should have an action of adding a Prefix subject of "Spam:", but I never see that occur despite seeing emails being marked as spam in the Log Viewer. For what it's worth, my mail traffic summary looks similar to rfkat_vk's.

Children
  • 0 in reply to shred

    Hi Shred,

    the XG has actually caught a virus in one of my wife's messages sometime ago. All sent messages from the XG are classified as SMTP even though the notification  is setup for SMTPS.

    This was supposed to be fixed a number  of MRs ago.

    Roll on v18

  • 0 in reply to shred

    Hi  

    X-CTCH string will include in the mail header if the email has been scanned via SMTP/S scanning applied in the firewall.

    It will indicate that scanning has been performed and added keyword indicates the status of the scanning as per the details provided in the community thread.

  • 0 in reply to Keyur

    Keyur said:
    Hi  

    X-CTCH string will include in the mail header if the email has been scanned via SMTP/S scanning applied in the firewall.

    It will indicate that scanning has been performed and added keyword indicates the status of the scanning as per the details provided in the community thread.

    Yeah, I understand that.

    What I’m saying is those X-CTCH strings are not in the mail header even though the Log Viewer indicates the emails I’m viewing the headers for have been scanned. Additionally, emails that are being identified as spam in the Log Viewer do not get their subject prefix modified as I mentioned in my original post.

  • 0 in reply to shred

    Hi  

    if that's the case and emails are not being scanned or Anti-Spam module is not working as expected, I would recommend contacting technical support and open a service request to investigate the issue further. I am sure the issue would be resolved.

  • 0 in reply to Keyur

    Unfortunately I can't get support since I'm on Sophos XG Home. Here's a Log Viewer entry of an email which indicates the email was scanned:

    2019-09-11 11:13:26Emailmessageid="15003" log_type="Anti-Spam" log_component="IMAPS" log_subtype="Clean" status="" fw_rule_id="6" user="" policy_name="Default" sender="News@InsideApple.Apple.com" recipient="my@email.com" subject="Upgrade to a new iPhone. Last chance to get ready." message_id="" email_size="36218" action="Accept" reason="Mail is Clean" host="InsideApple.Apple.com" domain="icloud.com" src_ip="XXX.XX.XX.XX" src_country="" dst_ip="XXX.XX.XX.XX" dst_country="" protocol="TCP" src_port="54571" dst_port="993" bytes_sent="0" bytes_received="0" quarantine_reason="Other"

    Here is the full header from that same email that does not contain any of the headers from Sophos (heavily redacted):

    X-Business-Group: ⁨cbx_wlm⁩
    X-Attach-Flag: ⁨N⁩
    List-Unsubscribe: ⁨<mynews.apple.com/subscriptions
    Original-Recipient: ⁨rfc822;my@email.com⁩
    Return-Path: ⁨<n_i_bounces@insideapple.apple.com>⁩
    X-Evs: ⁨BYPASS⁩
    Mime-Version: ⁨1.0⁩
    X-Dkim_Sign_Required: ⁨YES⁩
    ⁨<1972982512.1397428112.1568224967872@Insideapple.apple.com>⁩
    X-Sent-To: ⁨my@email.com,2,redacted
    Dkim-Signature: ⁨v=1; a=rsa-sha256; c=relaxed/relaxed; d=insideapple.apple.com; s=insideapple0517; t=1568224967; redacted; h=Date:From:To:Message-ID:Subject:Content-Type; b=D2z+1RkekINyredacted U6hV/redacted
    X-Emailtype-Id: ⁨1005005461⁩
    X-Txn_Id: ⁨redacted
    Content-Type: ⁨multipart/alternative; boundary="----=_Part_1397428108_541670826.1568224967872"⁩
    X-Mp: ⁨d⁩
    X-Broadcast-Id: ⁨187938⁩
    Received: ⁨from st11p00im-bulkin002.me.com ([17.172.80.198]) by ms23551.mac.com (Oracle Communications Messaging Server 8.0.2.3.20180629 64bit (built Jun 29 2018)) with ESMTP id <0PXO006FTI4O0X90@ms23551.mac.com> for my@email.com; Wed, 11 Sep 2019 18:02:48 +0000 (GMT)⁩
    Received: ⁨from rn2-msbadger18105.apple.com (unknown [17.179.250.222]) by st11p00im-bulkin002.me.com (Postfix) with ESMTPS id EDBA3F400D5 for <my@email.com>; Wed, 11 Sep 2019 18:02:47 +0000 (UTC)

    Something doesn't add up.

  • 0 in reply to shred

    Hi  

    Actual header used for Email Recipient in POP/IMAP can be examined in received email by analyzing its headers using an email client like outlook, thunderbird by navigating to Message options.
  • 0 in reply to Keyur

    Hi Keyur,

    the current version of outlook does not have an option to review the message format. Need to investigate this further after office has finished updating on her MBP.

    Ian

    Update, looking at my mac mail and I cannot see any reference to scanning.

  • 0 in reply to Keyur

    In Mail on MacOS, I'm opening an email, selecting View -> Message -> Raw Source. This opens a screen with the raw source of the email, which I'm assuming is showing the entire contents of the email message, so I'm assuming I'm looking at all of the headers. There appears to be a lot of other header items, but nothing related to Sophos XG.

    In Thunderbird, I'm opening an email, selecting More -> View Source. Again, this shows the entire raw source of the email.

    If this is not how you view the actual headers, please advise.

  • 0 in reply to shred

    Hi  

    Is XG configured in MTA mode with email protection?

    Can you please verify the community thread - https://community.sophos.com/products/xg-firewall/f/email-protection/76950/basic-email-protection-setup

  • 0 in reply to Keyur

    The XG is in legacy mode using external mail server. I did the same as Shred using two different mail accounts from two different ISPs. I could see the ISPs information in the headers, but not the XGs.

    Ian

    Update:- the thread you are referring to is for dropping spam messages. What we are referring to is the valid messages are not being scanned and the XG seeing the mail checks as spam even though they do not contain any information other than a null/no messages.

    Ian