Inbound SMTP Not Working

Hi Steele : Thank you for contacting Sophos community team. 

You may check the prerequisite in below pocket guide of MTA which confirms subscription for Sophos Email Protection needed. 

support.sophos.com/.../KB-000036667

If you already updated in legacy mode and required rules are configured to allow traffic without SMPT/SMTPS scan then mail communication should work. 

You may check TCPDUMP, drop, PCAP to confirm more on the communication side.

Hi Vishal_R, 

I have tested in Legacy mode and have set up the require Firewall and NAT rules for SMTP/SMTPS using the DNAT assistant. Unfortunately, no incoming mail is received. From the above KB, it would appear a license is required for mailflow in legacy mode also.

Thanks

Steele

Hello Steele,

Adding to what Vishal mentioned, were you able to run the packets are arriving to the XG by doing a TCPdump or PCAP capture from the GUI?

Also may know what is your Case ID number.

Regards,

Hi Emmanuel,

Case number is: 04010611

At the moment I am unable to review the packets arriving to the XG as I will need to schedule a network outage.

Are you able to confirm if an additional Mail protection license is required when running the Mail in legacy mode?

Thanks

Steele

Hi,

the licence is only required if you want to scan incoming emails, not just using port 25.

Ian

Hello Steele,

As Rfcat mentioned no License is necessary on Legacy Mode unless you want to scan the content.

Regards,

Hi rfcat_vk & emmosophos, 

Thanks for confirming this. Do you know if there is any documentation on this configuration as I have not been able to find any?

Much appreciated

Steele

Hello Steele,

For your configuration, it would just be to create a simple DNAT rule and a Firewall Rule with no Scanning.

https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/sfos/learningContents/CreatingDNATRuleWebServer.html

Regards,

Hi All,

Just an update on this, I have been able to get this to work by configuring the following:

  - Mail in Legacy mode, ensuring no scanning is occurring and no mail policy rules applied.

  - Ensure no mail scanning options are ticked on any Firewall rules.

  - Create firewall rule for inbound traffic to Spam appliance on port 25 for SMTP, with NAT translation from public to internal IP address.

  - As we have a hybrid exchange environment, an additional firewall DNAT rule was required for HTTPS (port 443) to our mail server for Office365 to connect.

Cheers!

Steelo