XG outbound email stuck in mail pool

Did you create everything as this KB indicate? 

https://community.sophos.com/xg-firewall/f/recommended-reads/122602/sophos-xg-how-to-setup-mta-mode-when-you-have-multiple-wan-ports-or-alias-ip-addresses

Hi LuCar Toni,

I have checked again. Arranged the in and out rules in a rule group. Placed them top. Checked the NAT rules. We have 1 WAN interface with multiple aliasses. I am receiving delivery notifications in my mail box but the email does not arrive at the receiver. Spam pool reports failure, 

Can it be that spam pool will also report failure in case of a spf reject by the receiver? I specified the IP alias in the NAT rule -> Override source translation (SNAT) for specific outbound interfaces, but maybe that IP is not send correctly.

 I have now added the WAN interface IP to our SPF record as designated sender. Maybe the alias is not correctly send to the receiver and my email is rejected as spam.

You should see this in the smtpd_main.log. 

Looking at the CLI and searching for your recipient, it should indicate, why he is actually dropping your email. 

Hi LuCar Toni, 

I have not been able to get it to work. At one point I was able to release 50% of the test emails in the mail pool but the remainder is still stuck. I will be looking at the logs to find out why it is not delivered.

Can it be that there is a MTA binding issue?  I am using Outbound Interface ANY with "Override source translation (SNAT) for specific outbound interfaces", Outbound Interface EXTPORTXG with Translated Source the MXIPHOSTADRESS.

If I do retry than the firewall rule is not hit and no traffic on the NAT rule. So no entries in the log viewer. It is not blocked either. Just a ghost as if this MTA does not retry at all. When I change the setting to see an allowed log viewer entry than it does not arrive at it's destination.  

I am reading here you can bypass the MTA for external email:

community.sophos.com/.../sophos-xg-email-mta-mode-for-inbound-only

Hello Fred,

You can follow this thread to create the SNAT https://community.sophos.com/xg-firewall/f/discussions/125970/step-by-step-outbound-smtp-bypass-on-xg-firewall 

However, you should check the smtpd_main.log to understand what is happening, might be that for some reason the MTA is using a different Firewall rule to send the email, which of course would cause the issue you are seeing.

I would recommend you to put the smtpd_main in debug mode, to see more output

# service smtpd:debug -ds nosync

Regards,

I managed to pscp the smtpd_main.log but the outbound recipiënt is no longer in it. Probably deleted as older  as 4 days?

Trying to het it to work I now have another issue that some inbound e-mails are stuck. They are from the moment I enabled the gateway also for inbound traffic so firewall rules (and natting) also apply to inbound massages. At that moment all e-mails failed so I disabled it again. Some e-mails of that exact moment cannot be released, no mattter what I do. This has become another thread. All inbound mail now default fail first time and needs to be released manually.

Patel is looking into it.

what I see in the log is:

15451 1 queue-runner process running
15362 locking /sdisk/spool/output//db/retry.lockfile
15362 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
15362 Considering: user@maildomain

15362 unique = user@maildomain
15362 user@maildomain: queued for routing
15362 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
15362 routing user@maildomain
15362 --------> router_for_notifications router <--------
15362 local_part=user domain=maildomain
15362 checking "condition" "${if and{{bool_lax{0}}{bool_lax{${if eq{$acl_c1}{1}{1}{0}}}}}}"...
15362 r
15362 --------> batv_redirect router <--------
15362  local_part=user domain=maildomain
15362 checking domains
15362 calling batv_redirect router
15362 expanded:
15362 file is not a filter file
15362 parse_forward_list:
15362 batv_redirect router declined for  user@maildomain
15362 --------> static_route_hostlist_for_email router <--------
15362 local_part=user domain=maildomain
15362 checking "condition" "${if match_address{$local_part@$domain}{+hostlist_route_emails}{1}{0}}"...
15362 calling static_route_hostlist_for_email router
15362 static_route_hostlist_for_email router called for user@ildomain
15362 domain = maildomain
15362 static_route_hostlist_for_email router declined for user@maildomain

15362 --------> static_route_hostlist router <--------
15362 local_part=user domain=maildomain
15362 checking domains
15362 calling static_route_hostlist router
15362 static_route_hostlist router called for user@maildomain

15362 domain = maildomain
15362 original list of hosts = "<;10.10.10.10;" options =
15362 expanded list of hosts = "<;10.10.10.10;" options =
15362 set transport static_smtp
15362 finding IP address for 10.10.10.10
15362 calling host_find_byname
15362 queued for static_smtp transport: local_part = user
15362 domain = maildomain
15362 errors_to=NULL
15362 domain_data=NULL localpart_data=NULL
15362 routed by static_route_hostlist router
15362 envelope to: user@ildomain
15362 transport: static_smtp
15362 host 10.10.10.10 [10.10.10.10]
15362 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
15362 After routing:
15362 Local deliveries:
15362 Remote deliveries:
15362 user@ildomain
15362 Failed addresses:
15362 Deferred addresses:
15363 T: Static_smtp: for user@ildomain
15363 locking /sdisk/spool/output//db/retry.lockfile
15363 locking /sdisk/spool/output//db/wait-static_smtp.lockfile
15362 LOG: retry_defer MAIN
15362 == user@ildomain R=static_route_hostlist T=static_smtp defer (-53): retry time not reached for any host for 'maildomain'
2021-02-16 16:21:48.093 [15362] 1Hvmjk-ykgQDX-eS == user@ildomain R=static_route_hostlist T=static_smtp defer (-53): retry time not reached for any host for 'maildomain'
15364 locking /sdisk/spool/output//db/retry.lockfile
15364 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Thanks Emmanuel, 

my outbound firewall and NAT rule are almost identical. I only added the Source Interfaces and enabled Specific SNAT for the External Port with the IP Alias of our mx record for RDNS to the NAT rule. The NAT rule doesn’t always seem to be touched.

i wonder if the MTA application layer is interfering. It should only allow by default inbound traffic and route it, which is not touched by the firewall gateway.

I also have an inbound firewall rule in place with NAT that is unnecessary but I like to control also the inbound traffic. I only allow smtp on our mx ip to be passed to the mail server. Furthermore I read a post by LuCar Toni about a binding issue with the XG sending out inbound email with 0.0.0.0 in some instances which causes traffic to be dropped.

i will try the debug mode to get more info into the log file.

thanks for the assistance.

Fred

The Firewall rule is identical.  Accept we deliver direct so it has ANY for destination networks. It is currently the top rule.

The NAT also TOP is currently:

I tried before also with SNAT the Extern IP MX. without the specific outbound interface. Email still arrived with the IP of the XG itself (Port2).  

I am going to add a specific route to our mail server to do some testing and put smtpd in debug mode. 

Thanks,

Fred

Current status tests:

Test ACL SMTP Relay off on WAN interface. Inbound SMTP and NAT rule disabled. Outbound Rule and NAT enabled.>>> Outbound email delivered.

Test ACL SMTP Relay off on WAN interface. Inbound SMTP and NAT rule enabled. Outbound Rule and NAT enabled.  >>>> Outbound email delivered. Inbound email not delivered as Gateway refuses inbound connection. 

Test ACL SMTP Relay enabled on WAN interface. Inbound SMTP and NAT rule enabled. Outbound Rule and NAT enabled. Outbound email delivered. Inbound email delivered to Mail Pool with status Failed. Will deliver after Retry.

Test ACL SMTP Relay enabled on WAN interface. Inbound SMTP and NAT rule disabled. Outbound email delivered. Inbound email delivered to Mail Pool with status Failed. Will deliver after Retry.

So currently the situation seems to be that outbound email is delivered but inbound email will not be delivered and fails in the Mail Pool but can be released after retry. Receiving e-mail should not be an manual proces. 

What I see in the smtpd_main.log with debug on is this for a message that is queued and that fails:

2021-02-17 14:33:23.946 [15452] SMTP connection from [67.214.175.75]:37674 I=[MX IP]:25 (TCP/IP connection count = 1)
2021-02-17 14:33:24.335 [30633] [67.214.175.75] F=<email sender> R=<email receiver> Accepted: is internal domain
2021-02-17 14:33:24.729 [30633] 1lCMxI-0007y5-EX <= email sender H=www.dnsexit.com (MX IP Adress) [67.214.175.75]:37674 I=[MX IP Adress]:25 P=smtp S=377 M8S=0 RT=0.274s T="DNS Exit Email Test" from <email sender> for email receiver
MSG Feb 17 14:33:24 [ T_SMTPD-M]: new mail queued, add to inqueue '1lCMxI-0007y5-EX-D'
2021-02-17 14:33:24.845 [30633] SMTP connection from www.dnsexit.com (MX IP Adress) [67.214.175.75]:37674 I=[MX IP Adress]:25 lost D=0.899s
MSG Feb 17 14:33:24 [ T_SMTPD-W]: Mail assigned to 'MS-15444' for scanning '1lCMxI-0007y5-EX-D'
MSG Feb 17 14:33:24 [ MS-15444]: scan request 1lCMxI-0007y5-EX-D
MSG Feb 17 14:33:24 [ MS-15444]: S='email sender' R='email receiver' Subject='DNS Exit Email Test' Size='377' Status='Mail has been queued for delivery.' src_ip='67.214.175.75' src_port=37674 user_id=0 user_grp_id=0 fw_id=39 src_zone_id=2
MSG Feb 17 14:33:24 [1lCMxI-0007y5-EX]: spam scanning result: 'not spam'
MSG Feb 17 14:33:24 [1lCMxI-0007y5-EX]: Sophos Antivirus Scanned result: Clean (file number:-1)
MSG Feb 17 14:33:24 [1lCMxI-0007y5-EX]: [0x9fc10c00] FROM: email sender , TO: email receiver
MSG Feb 17 14:33:24 [1lCMxI-0007y5-EX]: [0x9fc10c00](email receiver)SF Policy Action: ACCEPT
MSG Feb 17 14:33:24 [1lCMxI-0007y5-EX]: move 'RQn9gj-IK6U0M-Ro' to forwarder queue
MSG Feb 17 14:33:24 [1lCMxI-0007y5-EX]: RQn9gj-IK6U0M-Ro <= email sender R=1lCMxI-0007y5-EX
MSG Feb 17 14:33:24 [ MS-15444]: processing for 1lCMxI-0007y5-EX completed
MSG Feb 17 14:33:24 [ T_SMTPD-W]: [SMTPD] read returned 8 bytes
MSG Feb 17 14:33:24 [ T_SMTPD-W]: [SMTPD] mail '1lCMxI-0007y5-EX-D' processed sucessfully
MSG Feb 17 14:33:24 [ T_SMTPD-W]: [SMTPD] smtpd read blocked
15451 1 queue-runner process running
30814 locking /sdisk/spool/output//db/retry.lockfile
30814 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

30822 locking /sdisk/spool/output//db/retry.lockfile
30822 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
30822 Considering: email receiver
30822 unique = email receiver
30822 email receiver: queued for routing
30822 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
30822 routing email receiver
30822 --------> router_for_notifications router <--------
30822 local_part=Email User domain=Email domain receiver
30822 checking "condition" "${if and{{bool_lax{0}}{bool_lax{${if eq{$acl_c1}{1}{1}{0}}}}}}"...
30822 router_for_notifications router skipped: condition failure
30822 --------> batv_redirect router <--------
30822 local_part=Email User domain=Email domain receiver
30822 checking domains
30822 calling batv_redirect router
30822 expanded:
30822 file is not a filter file
30822 parse_forward_list:
30822 batv_redirect router declined for email receiver
30822 --------> static_route_hostlist_for_email router <--------
30822 local_part=Email User domain=Email domain receiver
30822 checking "condition" "${if match_address{$local_part@$domain}{+hostlist_route_emails}{1}{0}}"...
30822 calling static_route_hostlist_for_email router
30822 static_route_hostlist_for_email router called for email receiver
30822 domain = Email domain receiver
30822 static_route_hostlist_for_email router declined for email receiver
30822 --------> static_route_hostlist router <--------
30822 local_part=Email User domain=Email domain receiver
30822 checking domains
30822 calling static_route_hostlist router
30822 static_route_hostlist router called for email receiver
30822 domain = Email domain receiver
30822 original list of hosts = "<;Internal IP Mail server;" options =
30822 expanded list of hosts = "<;Internal IP Mail server;" options =
30822 set transport static_smtp
30822 finding IP address for Internal IP Mail server
30822 calling host_find_byname
30822 queued for static_smtp transport: local_part = Email User
30822 domain = Email domain receiver
30822 errors_to=NULL
30822 domain_data=NULL localpart_data=NULL
30822 routed by static_route_hostlist router
30822 envelope to: email receiver
30822 transport: static_smtp
30822 host Internal IP Mail server [Internal IP Mail server]
30822 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
30822 After routing:
30822 Local deliveries:
30822 Remote deliveries:
30822 email receiver
30822 Failed addresses:
30822 Deferred addresses:
30823 T: Static_smtp: for email receiver
30823 locking /sdisk/spool/output//db/retry.lockfile
30823 locking /sdisk/spool/output//db/wait-static_smtp.lockfile
30822 LOG: retry_defer MAIN
30822 == email receiver R=static_route_hostlist T=static_smtp defer (-53): retry time not reached for any host for 'Email domain receiver'
2021-02-17 14:33:33.872 [30822] RQn9gj-IK6U0M-Ro == email receiver R=static_route_hostlist T=static_smtp defer (-53): retry time not reached for any host for 'Email domain receiver'
30824 locking /sdisk/spool/output//db/retry.lockfile
30824 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

So that doesn't tell me much more.

Thanks,

Fred

I did a tcpdump and I am not seeing much special other as ehlo from the XG followed by a quit from the XG.

To rule out timeouts on the XG I disabled Malware and SPAM scanning in the MTA. Should be done before delivery to the internal server. Same behaviour. I enabled legacy TLS support although tcpdump says TLS1.2 is used. I removed the tarpitting settings from the mail server.  No change in behviour. 

I only get direct email delivery when i also disable SMTP and STMPS scanning in the firewall rules than the email will flow although the malware and spam were already dosabled in the MTA settings.

I think it is a time setting on the XG but have no idea how to increase it.