Outbound mail from MTA not working

Just wondering, V17 oder V18? 

LuCar Toni said:

Just wondering, V17 oder V18? 

 

Sorry, should have included that.

Sophos XG 17.5.12

Do you have a MTA Scanning Rule in your Firewall Ruleset? 

Can you edit this rule and place a MASQ in this rule? 

There should be something "ANY - ANY - SMTP" in your Ruleset as Business Application Rule. 

LuCar Toni said:

Do you have a MTA Scanning Rule in your Firewall Ruleset? 

Can you edit this rule and place a MASQ in this rule? 

There should be something "ANY - ANY - SMTP" in your Ruleset as Business Application Rule. 

 

Yes, I am doing outbound scanning. I have the default auto-generated rule on the IPv6 side, but the XG seems to neglect a lot on the IPv6 side and doesn't auto-generate rules there, and there is no way to setup the same rule on the IPv6 side. The auto-generated rule is quite a bit different from rules you can create. I tried turning off outbound scanning to test, but didn't see any difference in testing results.

LuCar Toni said:

Do you have a MTA Scanning Rule in your Firewall Ruleset? 

Can you edit this rule and place a MASQ in this rule? 

There should be something "ANY - ANY - SMTP" in your Ruleset as Business Application Rule. 

 

Yes, I am doing outbound scanning. I have the default auto-generated rule on the IPv6 side, but the XG seems to neglect a lot on the IPv6 side and doesn't auto-generate rules there, and there is no way to setup the same rule on the IPv6 side. The auto-generated rule is quite a bit different from rules you can create. I tried turning off outbound scanning to test, but didn't see any difference in testing results.

So which rule are actually "hitting" (have bytes on it) for SMTP in your setup? Do you have MASQ enabled in those Rules? 

LuCar Toni said:

So which rule are actually "hitting" (have bytes on it) for SMTP in your setup? Do you have MASQ enabled in those Rules? 

 

I think you may have just hit the nail on the head with this one. I have a last restore "deny" rule on both IPv4 and IPv6, and it looks like the outbound SMTP is actually hitting that rule. Now I've just got to figure out how the rule should be created. I tried creating one while troubleshooting yesterday, but it didn't work as expected, so I deleted it.

So do you have any guidance on creating the proper rule? I tried creating another rule, and it gets zero hits. I think the MTA intercepts the traffic, therefor bypassing the rule. This is further supported by the fact that the email from my mail server being sent to MTA as an outbound relay is not blocked, but there are no rules allowing the traffic either.

That is somehow the ugly part about MTA in V17.5. 

As the MTA is generally speaking allowed by the Device Access page, it does not need a Firewall Rule. 

But as you do not have a NAT option without firewall rule in V17.5, you are limited to have a MASQ option... 

If possible, i would rather recommend to wait for the V18.0 Update and simply create the SNAT there. It is much easier to generate a simple SNAT Rule for SMTP traffic in V18.0 than V17.5.

For V17.5, you would have to create a Business App rule with ANY - ANY - ANY - Scan SMTP and choose to MASQ there. 

For V17.5, you would have to create a Business App rule with ANY - ANY - ANY - Scan SMTP and choose to MASQ there. 

https://community.sophos.com/products/xg-firewall/f/recommended-reads/122602/how-to-setup-mta-mode-when-you-have-multiple-wan-ports-or-alias-ip-addresses