Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Subscribers 27 subscribers
  • Views 615 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Connecting XG to Sophos Central Email Gateway

Fred_B

I ran tests before moving my mx records to Sophos Mail Gateway. That worked like a charm and it is good to see viruses being caught. 

The XG is still in MTA mode. Email Gateway is configured for inbound only and set to deliver to the XG Alias. 

The DNS records have now been changed for production but I am seeing some messages that have a failed delivery status DSN code 5.0.0. Before all messages were delivered. 

The reason the Sophos XG gives for the rejection is other. That doesn't tell me much. Are there to many connections from one host? Before I didn't see any failed delivery. I removed the DoS settings to check.

I added the Sophos mail servers to the Upstream Relay Hosts.

Could it be TLS issues between the XG and Sophos? 

As DNS is not completely propagated over the Internet I can not yet remove all inbound check settings and lock the XG down to only allow SMTP from the Sophos servers. In order to troubleshoot I have removed the spam and spf checks.

In Email Gateway I am not seeing any queues for messages that could not yet be delivered and are queued for a resend and the possibility to resend. Doesn't Sophos Email Gateway have that functionality? I read in a post that Email Gateway will try for 14 days and then give up. There is no delay message?

TIA,

Fred



This thread was automatically locked due to age.
Parents
  • +1

    The question would be: Why even using MTA in XG, if you use Central Email? 

    Most likely customers DNAT the Central Delivery IPs directly to the email servers. 

  • 0 in reply to LuCar Toni

    Thanks again LuCar Toni,

    I needed an urgent remedy for  XG SAV and Sandstorm not working. The DNAT rule bypasses the MTA and delivers now direct to the mail server. The servers that still use old DNS records will move to Sophos MX delivery soon. After which I can remove MTA..

    What happens to the mail that has the failed delivery status? Will that be retried at some point? Did the senders receive a NDR?

  • 0 in reply to Fred_B

    Central will try to send the email for 14 days, if the respond is none (timeout) or a 400 Error. If Central gets a 500 Error, the Email will be marked as failed in Central Email and no NDR will be generated. 

    Basically Central will not generate NDRs, if Central accepted the Email in the first place. So the user is created and accepted. So the Email will be stucked in the Mail chain in Central Email, if the administrator cannot get the mail server up for 14 Days. 

  • 0 in reply to LuCar Toni

    Can you clarify. I read your response as "Central will only retry for 14 days in case of stmp time out or smtp 4.x.x. In case of a SMTP 5.x.x. it will mark it as Delivery Failed, will not retry and will not send a NDR."

    So basicly email is lost. I have notfied all senders to resend their email. 

    If I had enabled emergency mailbox access. Will in those cases the 5.x.x. email be visible to the end user? 

  • 0 in reply to Fred_B

    User can access the mailbox from Central to access the data stored in there.

    To be fair, if you fail to restore the email communication for 14 days, the email would be lost anyway. Most mail providers do not try to resend anything after 14 days (or least). 

Reply
  • 0 in reply to Fred_B

    User can access the mailbox from Central to access the data stored in there.

    To be fair, if you fail to restore the email communication for 14 days, the email would be lost anyway. Most mail providers do not try to resend anything after 14 days (or least). 

Children
No Data