Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 11 replies
  • Subscribers 27 subscribers
  • Views 2062 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Outbound mail from MTA not working

Nathan_K

Been using Sophos for a long time. Started on UTM back in the Astaro days. Love the product. Switched everything over to XG a little over a year ago, but have had issues around the MTA, so most of my mail is still flowing through my UTM.

 

When I set my outbound to go through my XG, the mail gets stuck in the outbound mail queue, the log says "queued for scanning" and just sits there. Several days later, I get a "Failure" notice in my inbox due to excessive retries. There are no other entries in the log.

 

The Undeliverable comes back with a "Remote Server returned '< #5.0.0>'" and the headers in it are not helpful in the least. The only thing I can see is that my tests seem to all be using IPv6, which I do have setup and fully functional.

 

Any help is greatly appreciated.



This thread was automatically locked due to age.
Parents
  • 0 in reply to LuCar Toni

    LuCar Toni said:

    Just wondering, V17 oder V18? 

     

     

    Sorry, should have included that.

    Sophos XG 17.5.12

  • 0 in reply to Nathan_K

    Do you have a MTA Scanning Rule in your Firewall Ruleset? 

    Can you edit this rule and place a MASQ in this rule? 

    There should be something "ANY - ANY - SMTP" in your Ruleset as Business Application Rule. 

  • 0 in reply to LuCar Toni

    LuCar Toni said:

    Do you have a MTA Scanning Rule in your Firewall Ruleset? 

    Can you edit this rule and place a MASQ in this rule? 

    There should be something "ANY - ANY - SMTP" in your Ruleset as Business Application Rule. 

     

     

    Yes, I am doing outbound scanning. I have the default auto-generated rule on the IPv6 side, but the XG seems to neglect a lot on the IPv6 side and doesn't auto-generate rules there, and there is no way to setup the same rule on the IPv6 side. The auto-generated rule is quite a bit different from rules you can create. I tried turning off outbound scanning to test, but didn't see any difference in testing results.

  • 0 in reply to Nathan_K

    So which rule are actually "hitting" (have bytes on it) for SMTP in your setup? Do you have MASQ enabled in those Rules? 

  • 0 in reply to LuCar Toni

    LuCar Toni said:

    So which rule are actually "hitting" (have bytes on it) for SMTP in your setup? Do you have MASQ enabled in those Rules? 

     

     

    I think you may have just hit the nail on the head with this one. I have a last restore "deny" rule on both IPv4 and IPv6, and it looks like the outbound SMTP is actually hitting that rule. Now I've just got to figure out how the rule should be created. I tried creating one while troubleshooting yesterday, but it didn't work as expected, so I deleted it.

  • 0 in reply to Nathan_K

    So do you have any guidance on creating the proper rule? I tried creating another rule, and it gets zero hits. I think the MTA intercepts the traffic, therefor bypassing the rule. This is further supported by the fact that the email from my mail server being sent to MTA as an outbound relay is not blocked, but there are no rules allowing the traffic either.

Reply
  • 0 in reply to Nathan_K

    So do you have any guidance on creating the proper rule? I tried creating another rule, and it gets zero hits. I think the MTA intercepts the traffic, therefor bypassing the rule. This is further supported by the fact that the email from my mail server being sent to MTA as an outbound relay is not blocked, but there are no rules allowing the traffic either.

Children