Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 11321 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG V17: E-Mail recipient verification not working

Tobias_F

Hello,

"recipient verification" and smart host are features I was waiting for. But when I switch on the function "recipient verification by call-out" in XG V17.0.0 nothing happens. Mails to a non-existing user at the domain still are getting accepted by XG. XG is set-up in MTA mode to forward the incoming mails to an Exchange server. When I was using UTM before this perfectly was working.

Bug or do I use the feature in a wrong way?

 



This thread was automatically locked due to age.
Parents
  • +1

    Hello Tobias

    With Recipient Verification via the callout method it does rely on the downstream server (Exchange most likely) rejecting a message to an incorrect recipient at the "RCPT TO" stage of the SMTP transaction.

    If your downstream server is not rejecting at this stage for non-existing users then callout won't work.

    This has been made harder to achieve recently with Exchange 2013 and 2016 - Microsoft in there infinite wisdom changed Exchange Mailbox/Hub roles so that if the usual recipient filtering is installed it rejects at the DATA stage.

    If you have Exchange 2013/2016 and only have the Mailbox/Hub role installed (most likely) and not the Edge role (will work fine with edge) then you cant do callout recipient verification over port 25 as before and must use a different port (2525 or pick one).

    I would link to a Sophos KB article but I don't think they have one so this SpamTitan article is full and complete:
    helpdesk.spamtitan.com/.../4000003763-dynamic-recipient-verification-using-exchange-2013-and-2016

  • 0 in reply to AlexBruce

    Hello,

    so, your linked artikel helped to get Exchange doing sender verification. 

    But how to get Sophos XG to do so over port 2525? I cannot find any setting in V17 to change the port.

     

    Here an addon to my post before.
    In UTM I uses verification via Active Directory. Therefore it was working before.

Reply
  • 0 in reply to AlexBruce

    Hello,

    so, your linked artikel helped to get Exchange doing sender verification. 

    But how to get Sophos XG to do so over port 2525? I cannot find any setting in V17 to change the port.

     

    Here an addon to my post before.
    In UTM I uses verification via Active Directory. Therefore it was working before.

Children
  • 0 in reply to Tobias_F

    Just in case someone else gets stuck at this:

    I solved it by setting up an SNAT rule to change SMTP port 25 traffic FROM the firewall going TO the mail server that changes the traffic to the wanted port 2526 on the Exchange servers.
    (Could use DNAT, if that fits better in your world)

    Then set up a new Hub Transport that listens on port 2526, and accepts anonymous connections, but only from IP adress of the firewall.
    (Remember to create a Windows Firewall rule)

    This is on UTM - but the concept is the same for XG.