Mails in Mail Spool from Exchange and cant be released

Question

Hello Guys, 
 
 we have a problem that incoming emails will be delivered to our exchange, but as soon as we set a smarthost from exchange to Sophos XG all emails will stuck in Mail Pool. 
 
 In log viewer we see only: Email has been accepted by Devcice and queued for scanning" 
 
 the Status is Failed with the Reason: R=default_mx_router T=remote_smtp defer(110): connection timed out 
 
 or R=smart_hoist_route T=remote_smtp defer(110): connection timed out

we have restarted the device, tried to retry to send this emails no chance. 
 
 other system who are using XG as outgoind email relay, can send emails out without problems. 
 
 has anyone seeing something like that? what could be a solution here? 
 
 Thank you

LuCar Toni · Accepted Answer

Generally Speaking, if the case is only certain domain, it could be the same issue, but rather XG cannot lookup a route to the specific domain. 
 What you can do: 
 Go to advanced Shell, take a email, which is stuck in Spool, resolve the MX on XG for this domain: https://www.gfisoftware.de/support/products/How-to-use-Nslookup-to-verify-MX-record-configuration Do this on the XG itself to get the result. 
 Then verify the same result is there for mxtoolbox: https://mxtoolbox.com/ 
 After this checks, you can do this: Resolve the DNS name of MX and put it to a tcpdump: tcpdump -ni any host IP_of_MX Now retry the Mail and observe, what is happening.

LuCar Toni · Answer

Could you try following?

Please use as Interface Criteria (outbound) your internal Interface to Mail Server. 
 
 Then retry.

LuCar Toni · Answer

Seems like in special cases, MTA is not able to use the LAN Interface and try to reach your internal Mail server with 0.0.0.0 as Source IP. 
 As most products will drop such packets, they will never reach the Server. 
 If you explicitly create a NAT Rule, which tells XG to use the Interface MASQ Rule, this issue seems not to happen.