Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 26 subscribers
  • Views 8669 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

MTA Mode NDR settings

Chris Shipley

I've had a ticket open with support for about 6 days now where I'm struggling with them understanding or identifying the issue I'm experiencing with an XG Firewall in MTA Mode for email protection and the Exchange Server 2013 behind it.  My main issue is with NDR.  Prior to the upgrade to XG, we were running UTM 9 which runs as a transparent SMTP proxy, so the Exchange server ultimately handles its own NDR settings.  With the new MTA Mode, the Exchange server always comes in under its NDR threshold when it passes it off to the smarthost for the XG Firewall.  We want to know within an hour if there's a delay in delivering email and within 2 days if it fails so they can reach out to their recipients another way (yes, we know this doesn't cover every scenario of email delivery failure).  However, the XG seems to be set to only notify a sender if it can't deliver a message after 7 days.

So after arguing with support that Exchange does not effectively handle NDR for our purposes in this mode (they insisted it did - that was a struggle), I finally got them to ask escalted engineers where we could modify the NDR settings for the MTA agent.  They sent over the shell command reference, but that doesn't even cover the advanced shell options.  I refuse the answer "those settings can't be modified".  So I've asked the ticket to be escalated (for the second time) and hopefully someday it will.

If I change to legacy mode, I'm told that I will lose the ability for SPX encryption and all it will do is pass email traffic on to the Exchange server with no filtering.

So, here we are.  I need to either

  1. Adjust NDR settings in the XG Firewall for the MTA
  2. Buy some 3rd party app (can't seem to find one, any help here?) that will route email out of an Exchange server to a smarthost based on an email header "X-Sophos-SPX-Encrypt: yes" - Exchange doesn't let you route through different send connectors by anything but domain out of the box, but a Transport Agent would do the trick.

My issue with number 2 is that I will need to configure my Exchange server to send directly to MX servers based on their DNS and bypass the outbound mail features of the XG Firewall, like scanning for spam and easy SPX encryption.  I also can't for the life of me find a software app that will let me do this.



This thread was automatically locked due to age.
Parents
  • 0

    Got my final answer, and now the details the other support person was giving me are making some sense:

    I am an escalation engineer that is working on this case. I have reviewed the escalation and I understand that you are wanting to know how to modify MTA settings that are not available in the GUI.

    Unfortunately the settings that you are wanting to change can not be edited on the XG. The only options that you have the ability to change are listed in the console and command reference guides.

    While it may be possible to go in to the backend and manually edit the configuration files, this is not supported. As well with manual changes, if they are actually written to the file, the changes will be wiped out by a reboot or update, and as I said before it is not supported.

    So this isn't great.  They further suggested I add a feature request, which I'll now do, so if you have a chance please go vote for it?  I have no faith this will even be plugged into the roadmap - here's the link: https://ideas.sophos.com/forums/330219-xg-firewall/suggestions/31650505-mta-mode-ndr-settings .  This is standard MTA behavior that we aren't supporting here.

Reply
  • 0

    Got my final answer, and now the details the other support person was giving me are making some sense:

    I am an escalation engineer that is working on this case. I have reviewed the escalation and I understand that you are wanting to know how to modify MTA settings that are not available in the GUI.

    Unfortunately the settings that you are wanting to change can not be edited on the XG. The only options that you have the ability to change are listed in the console and command reference guides.

    While it may be possible to go in to the backend and manually edit the configuration files, this is not supported. As well with manual changes, if they are actually written to the file, the changes will be wiped out by a reboot or update, and as I said before it is not supported.

    So this isn't great.  They further suggested I add a feature request, which I'll now do, so if you have a chance please go vote for it?  I have no faith this will even be plugged into the roadmap - here's the link: https://ideas.sophos.com/forums/330219-xg-firewall/suggestions/31650505-mta-mode-ndr-settings .  This is standard MTA behavior that we aren't supporting here.

Children
No Data