Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 26 subscribers
  • Views 8667 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

MTA Mode NDR settings

Chris Shipley

I've had a ticket open with support for about 6 days now where I'm struggling with them understanding or identifying the issue I'm experiencing with an XG Firewall in MTA Mode for email protection and the Exchange Server 2013 behind it.  My main issue is with NDR.  Prior to the upgrade to XG, we were running UTM 9 which runs as a transparent SMTP proxy, so the Exchange server ultimately handles its own NDR settings.  With the new MTA Mode, the Exchange server always comes in under its NDR threshold when it passes it off to the smarthost for the XG Firewall.  We want to know within an hour if there's a delay in delivering email and within 2 days if it fails so they can reach out to their recipients another way (yes, we know this doesn't cover every scenario of email delivery failure).  However, the XG seems to be set to only notify a sender if it can't deliver a message after 7 days.

So after arguing with support that Exchange does not effectively handle NDR for our purposes in this mode (they insisted it did - that was a struggle), I finally got them to ask escalted engineers where we could modify the NDR settings for the MTA agent.  They sent over the shell command reference, but that doesn't even cover the advanced shell options.  I refuse the answer "those settings can't be modified".  So I've asked the ticket to be escalated (for the second time) and hopefully someday it will.

If I change to legacy mode, I'm told that I will lose the ability for SPX encryption and all it will do is pass email traffic on to the Exchange server with no filtering.

So, here we are.  I need to either

  1. Adjust NDR settings in the XG Firewall for the MTA
  2. Buy some 3rd party app (can't seem to find one, any help here?) that will route email out of an Exchange server to a smarthost based on an email header "X-Sophos-SPX-Encrypt: yes" - Exchange doesn't let you route through different send connectors by anything but domain out of the box, but a Transport Agent would do the trick.

My issue with number 2 is that I will need to configure my Exchange server to send directly to MX servers based on their DNS and bypass the outbound mail features of the XG Firewall, like scanning for spam and easy SPX encryption.  I also can't for the life of me find a software app that will let me do this.



This thread was automatically locked due to age.
Parents
  • 0

    Hi Chris,

    I do not see a JIRA filed on this requirement which means the development has no plans for the modification option, the only option I see available here is to reach the Product Managers through a Feature Request on Sophos Ideas

    If you need my intervention in anything, please DM me.

    Thanks

Reply
  • 0

    Hi Chris,

    I do not see a JIRA filed on this requirement which means the development has no plans for the modification option, the only option I see available here is to reach the Product Managers through a Feature Request on Sophos Ideas

    If you need my intervention in anything, please DM me.

    Thanks

Children
No Data