Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 11 replies
  • Subscribers 27 subscribers
  • Views 2061 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Outbound mail from MTA not working

Nathan_K

Been using Sophos for a long time. Started on UTM back in the Astaro days. Love the product. Switched everything over to XG a little over a year ago, but have had issues around the MTA, so most of my mail is still flowing through my UTM.

 

When I set my outbound to go through my XG, the mail gets stuck in the outbound mail queue, the log says "queued for scanning" and just sits there. Several days later, I get a "Failure" notice in my inbox due to excessive retries. There are no other entries in the log.

 

The Undeliverable comes back with a "Remote Server returned '< #5.0.0>'" and the headers in it are not helpful in the least. The only thing I can see is that my tests seem to all be using IPv6, which I do have setup and fully functional.

 

Any help is greatly appreciated.



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to LuCar Toni

    LuCar Toni said:

    Do you have a MTA Scanning Rule in your Firewall Ruleset? 

    Can you edit this rule and place a MASQ in this rule? 

    There should be something "ANY - ANY - SMTP" in your Ruleset as Business Application Rule. 

     

     

    Yes, I am doing outbound scanning. I have the default auto-generated rule on the IPv6 side, but the XG seems to neglect a lot on the IPv6 side and doesn't auto-generate rules there, and there is no way to setup the same rule on the IPv6 side. The auto-generated rule is quite a bit different from rules you can create. I tried turning off outbound scanning to test, but didn't see any difference in testing results.

  • 0 in reply to Nathan_K

    So which rule are actually "hitting" (have bytes on it) for SMTP in your setup? Do you have MASQ enabled in those Rules? 

  • 0 in reply to LuCar Toni

    LuCar Toni said:

    So which rule are actually "hitting" (have bytes on it) for SMTP in your setup? Do you have MASQ enabled in those Rules? 

     

     

    I think you may have just hit the nail on the head with this one. I have a last restore "deny" rule on both IPv4 and IPv6, and it looks like the outbound SMTP is actually hitting that rule. Now I've just got to figure out how the rule should be created. I tried creating one while troubleshooting yesterday, but it didn't work as expected, so I deleted it.

  • 0 in reply to Nathan_K

    So do you have any guidance on creating the proper rule? I tried creating another rule, and it gets zero hits. I think the MTA intercepts the traffic, therefor bypassing the rule. This is further supported by the fact that the email from my mail server being sent to MTA as an outbound relay is not blocked, but there are no rules allowing the traffic either.

  • 0 in reply to Nathan_K

    That is somehow the ugly part about MTA in V17.5. 

    As the MTA is generally speaking allowed by the Device Access page, it does not need a Firewall Rule. 

    But as you do not have a NAT option without firewall rule in V17.5, you are limited to have a MASQ option... 

    If possible, i would rather recommend to wait for the V18.0 Update and simply create the SNAT there. It is much easier to generate a simple SNAT Rule for SMTP traffic in V18.0 than V17.5.

     

    For V17.5, you would have to create a Business App rule with ANY - ANY - ANY - Scan SMTP and choose to MASQ there. 

  • 0 in reply to LuCar Toni

    For V17.5, you would have to create a Business App rule with ANY - ANY - ANY - Scan SMTP and choose to MASQ there. 

     
     
    So how do I make that work? The IPv6 Business App rule requires a "Destination Host/Service" and a "Protected Server" to be selected.