I don't receive emails when smtp smtps scan is activated

Question

Hello everyone 
 
 I have a problem with my Sophos XG210. 
 I have a Exchange 2010 Server, before we had a self-signed certificate. We activated the email protection (because of spam), it worked perfectly. 
 Yesterday we have changed the certificate to an official one. This morning I can't receive any e-mail. 
 After some tests, I have disabled the SMTP and STMPS scanning on my business rule, and I receive my e-mail. 
 Now it works, but I receive spam again. 
 
 If you have any ideas ? 
 
 Thank you

ChrisKnight · Accepted Answer

Hi Nihal, 
 By broken firewalls I mean that I have three XG Firewall devices that no longer correctly deliver e-mail to an internal mail server when using Legacy Mode. 
 There is a Knowledge Base Article on setting up MTA Mode here - https://community.sophos.com/kb/en-us/125596 
 This is the article I used to set up MTA Mode, as it is the first MTA Mode setup I have had to do.

ChrisKnight · Answer

OK, I can confirm that switching from Legacy Mode to MTA Mode helps fix this problem in a two-fold manner. 
 The first is you have two separate SMTP sessions - one from the sending mail server to the XG Firewall, followed by one from the XG Firewall to the internal mail server. This second connection to the internal mail server doesn't have any data flow issues, as all the scanning has been done by this point. 
 The second subtle way in which the change to MTA Mode works is by resetting the Premium RBL and Standard RBL lists, reducing the time taken for RBL checks. Also nasty, because you've also lost important configuration information silently and not received any warning that this would happen. THIS IS REALLY SUCKY. 
 If you want to use Legacy Mode reliably now, turn off the RBL checks and have the internal mail server perform these. 
 At this point in time the only confidence I have in the mail protection feature of the XG Firewall is that it reliably dual-scan e-mail for malware. And that's about it :-(

ChrisKnight · Answer

The bug is still there if you have an unresponsive RBL in either of the Premium or Standard RBL lists. 
 The instructions for removing the RBL list is simply removing the unresponsive RBL system from being queried, resulting in a timed out SMTP session. 
 For example if you add bad.psky.me to either list - which appears to be down and has been down since I first noticed this problem - and have the XG Firewall in Legacy Mode, you'll end up with most of your SMTP sessions to an internal mail server timing out. 
 tl;dr an unresponsive RBL will effectively DoS a Legacy Mode configuration. 
 Switching to MTA Mode makes an unresponsive RBL simply delay transmission to an internal mail server. 
 The instructions in that article would be much more useful if it gave guidance on removing RBLs one at a time to see which RBL service is unresponsive.