After upgrading to v16 I switched Email Protection to the new MTA mode and found out that either IPv4 or IPv6 traffic is working but not both.
IPv4 required to enable SMTP Relay in System / Administration / Device Access whereas IPv6 was allowed without it. Seems like the IPv6 acl is bypassed/not checked!
Regardless of this security issue the forwarding from the MTA to the internal mail server works only if the version of the IP address configured in the Email policy (Route By Static Host) matches the one connecting from the Internet:
connect_to_forwarder_server() Ignoring IPv6 server because client was IPv4..
So if the internal mail server has only an IPv4 address emails reaching the Sophos MTA aren't forwarded and vice versa if it only has IPv6.
So if the internal mail server has only an IPv4 address emails reaching the Sophos MTA aren't forwarded and vice versa if it only has IPv6.
Even if it is dual-stack and both addresses are configured it doesn't work regardless of the order of addresses.
This thread was automatically locked due to age.