I have two different mail servers running behind the Sophos XG v16.01.2, Exchange 2016 and Ability Mail Server (AMS is only used for a mailing list functionality with subject modification and catch-all email address forwarding).
Since moving to Sophos XG 16.01.1 I have been using MTA mode for the mail server and forwarding emails to either server based on the email domain using profiles and it has been working well.
I have then enabled the HE tunnelbroker and IPv6 throughout the network and IPv6 incoming email and webhosting seemed to be working as expected (if disappointingly not through the WAF).
Exchange is fully IPv6 compliant, the AMS server has IPv6 addresses but the mail server does not support IPv6.
For some reason once the exchange server got the IPv6 address incoming emails to the exchange profile now seem to be acting oddly (AMS profile comtinues to work perfectly):
- if I leave the Exchange server host as the IPv4 address in the profile, then about 90+% of emails will just get stuck in the mail spool showing failed.
- if I swap to the IPv6 only address in there then some of the mail that was stuck in the spool seems to get delivered but still approx 90% ends up stuck in the spool.
- if I have both IPv4 -and IPv6 hosts in the profile, then it does not seem to release any emails and will continue to block most emails,
Here's where it gets even odder
- if I set the AMS server in the host list almost all emails get forwarded, (I have configured the AMS server to be a backup for the exchange hosted domains as a temporary fix to forward them all to the exchange server). This works for about 97% of the incoming emails and the spool stays empty.
But then one or two emails are received that gets stuck in the mail queue and will not get forwarded to AMS and does not show up in the AMS smtp logs as a connection even being established, let alone the transaction starting,
The "fix" to this is to try the Exchange IPv4 or Exchange IPv6 addresses one at a time and retry the email, and sometimes the IPv4 address will work and sometimes the IPv6 address will work (it is independent of if it was received over IPv4 or IPv6, one today was received as IPv4 but would only deliver to exchange over IPv6 after failing AMS and exchange IPv4)
If I try to have all 3 addresses in the profile (AMS, Exchange IPv4 and exchange IPv6) then emails still seem to get stuck, like it is not doing a round-robin when the email fails with one server.
Before turning IPv6 on, this problem did not happen at all, and it did not happen with UTM9
At the moment I have actually switched to legacy mode with av, spam and RBL filtering enabled as it is a headache I don't understand.
Does anyone have any ideas what is causing this and what I can do to fix it?
Thanks very much
Ian
This thread was automatically locked due to age.
