I don`t see all message in logs

Hello Dennis,

Thank you for contacting the Sophos Community.

From the emails that you are not seeing in the XG do you see in the headers of the Email the XG? 

Do you have more than one MX record pointing to different Public IPs on your XG? Do you happen to have DNAT rule forwarding Port 25? 

Regards,

Hello Dennis,

Thank you for contacting the Sophos Community.

From the emails that you are not seeing in the XG do you see in the headers of the Email the XG? 

Do you have more than one MX record pointing to different Public IPs on your XG? Do you happen to have DNAT rule forwarding Port 25? 

Regards,

emmosophos said:

From the emails that you are not seeing in the XG do you see in the headers of the Email the XG? 

I do not see it. Looks like the message was delivered directly to Exchange.

Received: from EX1.CONTOSO.COM (192.168.1.99) by EX1.CONTOSO.COM
 (192.168.1.99) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.858.5 via Mailbox
 Transport; Fri, 10 Sep 2021 06:50:46 -0400
Received: from EX1.CONTOSO.COM (192.168.1.99) by ex1.CONTOSO.COM
 (192.168.1.99) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.858.5; Fri, 10 Sep 2021
 06:50:46 -0400
Received: from EUR05-AM6-obe.outbound.protection.outlook.com (40.92.91.53) by
 ex1.CONTOSO.COM (192.168.1.99) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.858.5 via Frontend
 Transport; Fri, 10 Sep 2021 06:50:46 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=DWaHbHlEo64WjOvYFT1ByWn75T+ugLv2X3UGsO1kbuQh6mc5BHgAOhuD6rW+7ij5bs7Fu08KePVdocr0/R8Gd+OP4sigSuF7EpcSsLldDML5PdA+W3UxDMrzbsSedyX6RwJpqiHboHRuMJ0D6KMT2kyP/KqgWfLpH6kJsU2pG6FwPpEjQG1eDwooA7agEV6o4hA3hbDGPKeVQhGMLwlDYkcba17JBfHrGHJYqFORgx1N4umZ1FVeN+nrheYUUPPYAxbAAfg3ra9ilGPzuBwMwU0RL5Ivxq3oeba3qGElKr2/6HcG2tMR52eqE2A4gZrsWi3ttLi/GO8R3s1+pEdn4w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version;
 bh=+eaZXNBcjSiV0cm9cvXGDPfUvPz18wTZQuVZ0Pxx7y0=;
 b=VDICfMBW+h0CARcz+4H91oSWVpbx58/JdF0ny1su40JuaiLRK60FXGbN5y6JJgGAverc1Rapwz/Rcznhv+jkcXpB7xFTR1MalDXIuFeonu9NksikSwh0bGFkQ3mpmBbkYzjYbEZxK9SCf22ZMJ5SmpfMZxUldRChVCqwTt3kPYVBtqTAKbG333pBIekRtswxcDZ5ndVB7Sd5m+hy99bxfrHAZmg1LFZm84b3Mgl43crztaibafSRO5cywfyNHenj2Ago2KXnxH5bV+zoly/YHHtcuPiKMD1OsMtlixoBjj2xEDe/SWNSMmJkTCQxoqIgJirOKJtv4wW1IVhqhRqu2A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none;
 dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hotmail.com;
 s=selector1;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=+eaZXNBcjSiV0cm9cvXGDPfUvPz18wTZQuVZ0Pxx7y0=;
 b=qrl/jQiPwSmeAUVazKIAkIdC1eYe28anI77teacEh6MvcZzfvr30gRMw71hug+GUcD8q9998W87teacuToAkcBIGI0YY1faRZIlXZrEQUCCjDKYFPPCqvFf43ae/FGYOLwbd5T07bMGU+qm4DKueIrk+41lutRqb+SRUJDeIdkk6ArlAuaNv7qLpXqsOroNnrbJ7/VG3DSFUnH9sBFIeIQVeMDiMITUClpJSEgVU05CWBc49uW1clrTjzBLrm/cA7c+Vez1x5VtAtRGVEHIuga4Dn4GWqb201G2ND4YlVBm3VtdKqgtIHf3Kqgcj5SsIjN91g/Ou3hZ6tDgy+bZRiA==
Received: from PAXPR08MB7246.eurprd08.prod.outlook.com (2603:10a6:102:211::15)
 by PAXPR08MB7293.eurprd08.prod.outlook.com (2603:10a6:102:214::7) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4500.16; Fri, 10 Sep
 2021 10:50:45 +0000
Received: from PAXPR08MB7246.eurprd08.prod.outlook.com
 ([fe80::f16e:5e05:d02a:75a4]) by PAXPR08MB7246.eurprd08.prod.outlook.com
 ([fe80::f16e:5e05:d02a:75a4%9]) with mapi id 15.20.4500.017; Fri, 10 Sep 2021
 10:50:45 +0000
From: Pasternak Denis <denis.pasternak@hotmail.com>
To: Den Pasternak <dpasternak@CONTOSO.COM>
Subject: RE: Test msg
Thread-Topic: Test msg
Thread-Index: AQHXpbzJ9MfpcPNKOEeRXh+9lHwjc6ucLkoMgADpoHw=
Date: Fri, 10 Sep 2021 10:50:45 +0000
Message-ID: <PAXPR08MB72466EECDD9723FD4542DB51F1D69@PAXPR08MB7246.eurprd08.prod.outlook.com>
References: <a32f91ad1ebd46fea9657a35d0037c13@CONTOSO.COM>
 <PAXPR08MB7246B91AB7A2706023AEC9F1F1D59@PAXPR08MB7246.eurprd08.prod.outlook.com>
In-Reply-To: <PAXPR08MB7246B91AB7A2706023AEC9F1F1D59@PAXPR08MB7246.eurprd08.prod.outlook.com>
Accept-Language: ru-RU, en-US
Content-Language: ru-RU
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
suggested_attachment_session_id: a419b47b-c9e0-4dcd-0c40-4b7289adad0d
x-ms-exchange-messagesentrepresentingtype: 1
x-tmn: [2U4b7LTDMkJiOzGx22VJ/l0jexjsttWEj/rNbQdxV+8=]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 96dcde19-5bf4-4179-ca1b-08d97448d792
x-ms-traffictypediagnostic: PAXPR08MB7293:
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: dfIocpx1q8UwWeJDZI5EUXOWqB2AJdGRgTXu/bCJ3lDykpEVj0hgvy10+TosJj/4o2DkOtWr4QKga9Xoo6sANbYo1fMN6oskI/neoY5qrjMS16SAI4Wcn3d03KIAiHf3JLw267zNTC/VsByHJtpHYeEZ7JNT2z/6pApz9UFS7OFJUsbm55cvnnjde673aOn/vl1M3Ypgi4RMDKkZt1q/m5Acmjldr5FqSgU5nQxj0FilhAOIQblFuooH+ZXTmhpazzIKTq3tWakvxkRlSawug8/W1OXPgvDEBlc3JzYj1rdJyo7qJFeUmCiaF0u1Syt1i69ofH0MAchuAQrR95QBPvz2XYfswBhQN2yp9852zJ8MeNTWuyV4wYMSw/ZBFoLRAz5L+zHXglnmqRDf1d6h3QaUSFBEhE0c/Wwegn4GuQevRlO4DMjFzDvJv4vnh+7H
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: iwaei2GvM5qGs7zQC9uv7CxsIdO3xGmUoWWEryw2mfWad+LpHDHIq9KScaLnsMi0iYdJI3te2cjT7n+3FV0rQ3NA4yuWN6AUYvCjItd2x11TVmzgDZg3HZOH92fonuipkaiiF+t5X6uKmlfU5nRedw==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative;
	boundary="_000_PAXPR08MB72466EECDD9723FD4542DB51F1D69PAXPR08MB7246eurp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: PAXPR08MB7246.eurprd08.prod.outlook.com
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-Network-Message-Id: 96dcde19-5bf4-4179-ca1b-08d97448d792
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Sep 2021 10:50:45.2157
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PAXPR08MB7293
Return-Path: denis.pasternak@hotmail.com
X-MS-Exchange-Organization-Network-Message-Id: cd4676af-e2af-4d2d-49b6-08d97448d830
X-MS-Exchange-Organization-AVStamp-Enterprise: 1.0
X-MS-Exchange-Organization-AuthSource: EX1.CONTOSO.COM
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.4639928
X-MS-Exchange-Processed-By-BccFoldering: 15.02.0858.002

emmosophos said:

Do you have more than one MX record pointing to different Public IPs on your XG?

Yes, I have four DNS zones and four MX records referring to one IP address, which is owned and served by XG.

emmosophos said:

Do you happen to have DNAT rule forwarding Port 25? 

Yes, I have DNAT rule. If I understand correctly, it shouldn't be. Messages must be delivered to XG, which in turn must be forwarded to Exchange.

Hello Dennis,

Thank you for the screenshots.

It does look like this isn’t the correct NAT rule for MTA, and preferably you’ll have a separate rule to handle access to the exchange on Port 443.

Original Source = Any

Original Destination = Any

Original Service = SMTP, SMTP(S)

SNAT = MASQ 

The rest is the default.

Regards,

Thank you.

I found SMTP scan was disabled.

Now I can see all the messages in the logs. But now I have a different problem :) all messages were rejected, from hotmail, gmail. And I can`t see any reason.

It is very difficult to understand why the letter was dropped.