I don't receive emails when smtp smtps scan is activated

Legacy Mode or MTA Mode?

I've currently got three broken firewalls using Legacy Mode that suspiciously looks like it's related to the IPS updates that came through 16 hours ago (about 1.30am, +10 GMT).

Switching to MTA mode fixes the problem. Currently trying to raise a ticket on it.

Thank you for your answer.

What do you mean by broken firewalls ?

It is in legacy mode.

I tried to switch on MTA mode, but I can't send e-mail, I have an error : Sophos #550 Relay access denied ##

And I still don't get emails.

That is weird because it is when I have disabled smtp smtps scan it works. 

And I have stopped the IPS services.

Hi Nihal,

By broken firewalls I mean that I have three XG Firewall devices that no longer correctly deliver e-mail to an internal mail server when using Legacy Mode.

There is a Knowledge Base Article on setting up MTA Mode here - https://community.sophos.com/kb/en-us/125596

This is the article I used to set up MTA Mode, as it is the first MTA Mode setup I have had to do.

I just have a question (sorry I am totally new with Sophos).

What is the difference between MTA and legacy mode ?

I will try to change to MTA mode, and test if we can receive and send e-mail.

Thank you for you help and support.

I just have a question (sorry I am totally new with Sophos).

What is the difference between MTA and legacy mode ?

I will try to change to MTA mode, and test if we can receive and send e-mail.

Thank you for you help and support.

Legacy Mode works as a transparent proxy, so the internal mail server essentially sees an inbound SMTP connection from the sending mail server in the WAN zone.

Legacy Mode also supports blacklisting and whitelisting of individual addresses.

MTA Mode works like a mail server. It receives the message from the sending mail server in the WAN zone. It then stores it on the XG Firewall and delivers it to the internal mail server once it has finished processing the message. The internal mail server sees an inbound SMTP connection from the internal IP address of the XG Firewall.

What appears to be happening is Legacy Mode is being held up trying to perform RBL blacklist checks, which prevents the XG Firewall from correctly finalising communication with the internal mail server, so the internal mail server finally gives up and times out the session, meaning the internal mail server won't show a completed successful or failed delivery and neither will the Log Viewer in the XG Firewall.

In MTA Mode I suspect this RBL check is done once the message has been successfully received by the XG Firewall. The RBL blacklist check is then timing out, but as the message has been completely received, it is then able to successfully send the message to the internal mail server, just without a completed RBL blacklist check.

The workaround for Bug ID NC-19829 apparently is to remove the Standard RBL check from the Policy list, although I think the better option is to note down all the RBLs you're using in both the Premium and Standard RBLs and to remove them one at a time to find the culprit.

Another way to diagnose this would be to do a blacklist check on mxtoolbox.com, look at the response times and cull your RBL entries based on response times listed on mxtoolbox.com.

I've noticed that bad.psky.me has gone AWOL, so if you have that in your RBL lists you'll want to temporarily or permanently remove it.

In light of this, Sophos probably need to add some code to abort RBL checks so that SMTP sessions don't time out and somehow bubble up non-responsive RBL checks to a place where we can see them.

OK, I can confirm that switching from Legacy Mode to MTA Mode helps fix this problem in a two-fold manner.

The first is you have two separate SMTP sessions - one from the sending mail server to the XG Firewall, followed by one from the XG Firewall to the internal mail server. This second connection to the internal mail server doesn't have any data flow issues, as all the scanning has been done by this point.

The second subtle way in which the change to MTA Mode works is by resetting the Premium RBL and Standard RBL lists, reducing the time taken for RBL checks. Also nasty, because you've also lost important configuration information silently and not received any warning that this would happen. THIS IS REALLY SUCKY.

If you want to use Legacy Mode reliably now, turn off the RBL checks and have the internal mail server perform these.

At this point in time the only confidence I have in the mail protection feature of the XG Firewall is that it reliably dual-scan e-mail for malware. And that's about it :-(

I feel your pain Chris.  This is a new XG install for a client and not leaving them with much confidence in the device.

Apparently the problem is solved.

I tried to switch to MTA, but it was very slow and my exchange server "paused" the delivery.

So I switch back to legacy with my normal configuration. I reactivated smtp and smtps scan, I tried and it worked.

I received an update for antivirus avira and Sophos, maybe it fixed the problem.

If your Exchange Server is "pausing" the delivery you may need to disable the Exchange Server backpressure features.

More info here - technet.microsoft.com/.../bb201658(v=exchg.141).aspx