Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +5 person also asked this people also asked this
  • Locked Locked
  • Replies 26 replies
  • Answers 1 answer
  • Subscribers 34 subscribers
  • Views 63787 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

I don't receive emails when smtp smtps scan is activated

IFE

Hello everyone

 

I have a problem with my Sophos XG210.

I have a Exchange 2010 Server, before we had a self-signed certificate. We activated the email protection (because of spam), it worked perfectly.

Yesterday we have changed the certificate to an official one. This morning I can't receive any e-mail.

After some tests, I have disabled the SMTP and STMPS scanning on my business rule, and I receive my e-mail.

Now it works, but I receive spam again.

 

If you have any ideas ?

 

Thank you



This thread was automatically locked due to age.
Parents
  • 0

    Legacy Mode or MTA Mode?

     

    I've currently got three broken firewalls using Legacy Mode that suspiciously looks like it's related to the IPS updates that came through 16 hours ago (about 1.30am, +10 GMT).

     

    Switching to MTA mode fixes the problem. Currently trying to raise a ticket on it.

  • 0 in reply to ChrisKnight

    Thank you for your answer.

    What do you mean by broken firewalls ?

    It is in legacy mode.

    I tried to switch on MTA mode, but I can't send e-mail, I have an error : Sophos #550 Relay access denied ##

    And I still don't get emails.

    That is weird because it is when I have disabled smtp smtps scan it works. 

     

     

  • 0 in reply to IFE

    And I have stopped the IPS services.

  • +2 in reply to IFE

    Hi Nihal,

    By broken firewalls I mean that I have three XG Firewall devices that no longer correctly deliver e-mail to an internal mail server when using Legacy Mode.

    There is a Knowledge Base Article on setting up MTA Mode here - https://community.sophos.com/kb/en-us/125596

    This is the article I used to set up MTA Mode, as it is the first MTA Mode setup I have had to do.

  • 0 in reply to ChrisKnight

    I just have a question (sorry I am totally new with Sophos).

    What is the difference between MTA and legacy mode ?

    I will try to change to MTA mode, and test if we can receive and send e-mail.

     

    Thank you for you help and support.

  • 0 in reply to ChrisKnight

    Hi,

     

    I have just experienced this same situation.  Legacy setup was working well, all of a sudden it stopped, no error, no warning.

     

    I have now configured the XG in MTA mode and it is working, however I am finding that mail delivery is very slow, sometimes 5 to 10 minutes to deliver to the Mail Server.  Are you aware of any such issues, and if so, is there a workaround to resolve this.

     

    Thanks in Advance

    George

  • 0 in reply to IFE

    Legacy Mode works as a transparent proxy, so the internal mail server essentially sees an inbound SMTP connection from the sending mail server in the WAN zone.

    Legacy Mode also supports blacklisting and whitelisting of individual addresses.

    MTA Mode works like a mail server. It receives the message from the sending mail server in the WAN zone. It then stores it on the XG Firewall and delivers it to the internal mail server once it has finished processing the message. The internal mail server sees an inbound SMTP connection from the internal IP address of the XG Firewall.

    What appears to be happening is Legacy Mode is being held up trying to perform RBL blacklist checks, which prevents the XG Firewall from correctly finalising communication with the internal mail server, so the internal mail server finally gives up and times out the session, meaning the internal mail server won't show a completed successful or failed delivery and neither will the Log Viewer in the XG Firewall.

    In MTA Mode I suspect this RBL check is done once the message has been successfully received by the XG Firewall. The RBL blacklist check is then timing out, but as the message has been completely received, it is then able to successfully send the message to the internal mail server, just without a completed RBL blacklist check.

    The workaround for Bug ID NC-19829 apparently is to remove the Standard RBL check from the Policy list, although I think the better option is to note down all the RBLs you're using in both the Premium and Standard RBLs and to remove them one at a time to find the culprit.

    Another way to diagnose this would be to do a blacklist check on mxtoolbox.com, look at the response times and cull your RBL entries based on response times listed on mxtoolbox.com.

    I've noticed that bad.psky.me has gone AWOL, so if you have that in your RBL lists you'll want to temporarily or permanently remove it.

    In light of this, Sophos probably need to add some code to abort RBL checks so that SMTP sessions don't time out and somehow bubble up non-responsive RBL checks to a place where we can see them.

  • 0 in reply to GEORGE SKARENTZOS

    Hi George.

    Based on Bjorn's response - thanks Bjorn! - it appears that some RBLs are either not responding or timing out, causing the RBL check to take an excessive amount of time. MTA Mode handles this as it already has the message queued, so it can finalise delivery to the internal mail server albeit with a delay. Legacy Mode mostly fails, as the Exchange Server ends up timing out the connection while waiting for the XG Firewall to send it data.

    Culling the Premium and/or Standard RBL lists will most likely get Legacy Mode working again.

    You could probably bump up the timeout on the Exchange Server Receive Connector, but I have no idea what value would make it work reliably (if at all).

  • +1 in reply to ChrisKnight

    OK, I can confirm that switching from Legacy Mode to MTA Mode helps fix this problem in a two-fold manner.

    The first is you have two separate SMTP sessions - one from the sending mail server to the XG Firewall, followed by one from the XG Firewall to the internal mail server. This second connection to the internal mail server doesn't have any data flow issues, as all the scanning has been done by this point.

    The second subtle way in which the change to MTA Mode works is by resetting the Premium RBL and Standard RBL lists, reducing the time taken for RBL checks. Also nasty, because you've also lost important configuration information silently and not received any warning that this would happen. THIS IS REALLY SUCKY.

    If you want to use Legacy Mode reliably now, turn off the RBL checks and have the internal mail server perform these.

    At this point in time the only confidence I have in the mail protection feature of the XG Firewall is that it reliably dual-scan e-mail for malware. And that's about it :-(

Reply
  • +1 in reply to ChrisKnight

    OK, I can confirm that switching from Legacy Mode to MTA Mode helps fix this problem in a two-fold manner.

    The first is you have two separate SMTP sessions - one from the sending mail server to the XG Firewall, followed by one from the XG Firewall to the internal mail server. This second connection to the internal mail server doesn't have any data flow issues, as all the scanning has been done by this point.

    The second subtle way in which the change to MTA Mode works is by resetting the Premium RBL and Standard RBL lists, reducing the time taken for RBL checks. Also nasty, because you've also lost important configuration information silently and not received any warning that this would happen. THIS IS REALLY SUCKY.

    If you want to use Legacy Mode reliably now, turn off the RBL checks and have the internal mail server perform these.

    At this point in time the only confidence I have in the mail protection feature of the XG Firewall is that it reliably dual-scan e-mail for malware. And that's about it :-(

Children