Thread Info
  • State Not Answered
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 24 replies
  • Subscribers 30 subscribers
  • Views 52958 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

"Sophos Firewall was unable to send the following mail..." after upgrade to (SFOS 17.0.1)

Graboid$

Device: XG210

Current Version: SFOS 17.0.2 MR-2

Error: 

Sophos Firewall was unable to send the following mail:
Mail delivery to following recipients failed:
xxxxxxx@domain1.com (No error code)

Sophos Firewall was unable to send the following mail:
Mail delivery to following recipients failed:
xxxxxxx@domain2.co.nz - 550 through this server without authentication.

Sophos Firewall was unable to send the following mail:
Mail delivery to following recipients failed:
xxxxxxx@domain3.com - 554: Relay access denied

 

We are previously in communication with the users in these 3 domains before upgrading to version 17.01.

Unfortunately, I cannot determine if it is version 17 or 17.01 that started the problem.

I waited for MR1 before upgrading to 17 then after several hours of testing, upgraded to MR1.

I did a telnet from Sophos' Device console and it shows Sender and Recipient OK.

 

Also, I read through  "Advisory: Sophos XG Firewall email fails to send to servers that only support TLS 1.0" 

Link: community.sophos.com/.../127745

Excerpt from the Link: """ There will be a UI change that will allow the admin of the firewall to disable/enable TLS1.0 for email communication.

Email behavior will change when TLS cannot be correctly negotiated and will fall back to plain text.

Fix to be released in v17 MR2."""""

 

Based on the Advisory, I am unable to find the UI to disable TLS1.0.

So I upgraded to MR2 as the release notes shows that the Mail Flow issue will be fixed.

Excerpt from Release Notes: ---"NC-22921 [Mail Proxy] Email flow is affected for recipients using TLS1.0"---

However, even after upgrade to MR2, it it still the same issue.

 

Additional Info:

Email Server: On-Premise Exchange Server 2016

Confirmed that Mail Flow has no issues. I have checked the Exchange logs and I have monitored the Exchange queue when sending emails to these domains. 

All emails were sent through from the Exchange Server side and I did not get stuck emails in the Exchange queue (which is normally the case). 

I only started getting these Sophos Firewall bounced back error messages after the upgrade to 17.01.

 

I called Sophos support for assistance but there is no resolution.

I really need assistance on this issue as the emails needs to be sent urgently.

Thank you very much for the support in these community forums.



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to ChrisKnight

    Originally disabled so I have tick and untick "Disable Legacy TLS protocols" before MR2 and even after Mr2.

    Under Skip TLS negotation, I am not sure how to add the recipient's MX records as per the Advisory.

    Thanks.

  • 0 in reply to Graboid$

    :-(

    Might be worth using the Advanced Shell to check that the mta.conf file as mentioned in the advisory actually has a line for disable_tls1 yes.

    To add the recipient's MX records, go to Hosts and Services, create an entry (hosts and/or subnets) for the MX records of the recipient domain (use dig or nslookup to get the MX records). Once the entries are created, go back to the Skip TLS Negotiation list and add the entries.

    Failing that, lodge a support request referencing the KB Article number of the advisory, or dig through /var/tslog/awarrenmta.log to see how the individual SMTP sessions are failing.

  • 0 in reply to ChrisKnight

    Yes. Thank you for reminding me. I have look and look for the disable_Tls1 and even copied the entire log, 

    but it is nowhere to be found. I will work on adding the MX records for these 3 domains. Thank you for that info regarding Hosts and Services.

  • 0 in reply to Graboid$

    Update:

    I added all the MX Records of the 3 domain names in the SKIP TLS negotiation, but same problem.

    I worked with the Finance Team and ask 2 users to send it from each of their computers and both have the same bounced back error message.

    Under Email>General Settings>I click on Switch to Legacy Mode and left it on for few minutes.

    While Sophos is on Legacy Mode, I ask the user to send the same email and it went through.

    I will continue to look where I can disable the TLS 1.0 in Advanced Mode.

  • 0 in reply to Graboid$

    I don't know that the TLS issue is causing your problem.

    We've got two customers we support.  One has an XG that we sold back in the v15 days.  We've tried multiple times to bring them into MTA mode since it became available in v16, and various bugs and incompatibilities have had us toggling back to legacy mode over and over again.  With v17 we have been very close, with the legacy TLS incompatibility being the only thing we knew of as a problem.  We have updated them to v17 MR2 and disabled legacy TLS mode via the GUI.

    Meanwhile, our other customer has an SG currently running 9.502-4 who had some issues with TLS, and we were given instructions to edit its exim.conf file to disable TLS v1.  That's been in place for a couple months without complaint.

    Today, coincidentally the first customer tried to send to the second customer.  "550 through this server without authentication"

    The SG on the recipient basically shows "temporarily rejected after DATA: Temporary local problem, please try again!"

    I'm going to try updating the SG to current (it's got 4 outstanding updates) and see if that helps.  Certainly adding it as a TLS exception does NOT.  I've done that explicitly at the XG end as a test, in addition to disabling legacy TLS entirely.  Our office has an SG on 9.504-1 and we're accepting mail from both customers just fine.

    I'll update if this changes anything.

  • 0 in reply to Paul Gazo

    This is really interesting to know  

    Thank you for providing your insight/experience on this issue.

     

    When Sophos Firewall was on Legacy Mode temporarily, the email went through and the recipient was able to respond back.

    I am hoping to avoid going to Legacy Mode permanently.

    I will update this once Sophos called me back regarding this issue.

  • 0 in reply to Graboid$

    I have updated the recipient end's SG to 9.506-2 (current) and rebooted.  No change.  Also, this is before re-instating the manual edit to exim.conf that disables TLS 1.0 on that unit.  (In this case, the legacy TLS needs to be disabled to pass PCI compliance scanning.)

  • 0 in reply to Graboid$

    Followup...

    I found greylisting was enabled on the recipient's SG.  Hence the "temporary error".  The XG is considering that a fatal error and not retrying.  That's probably your issue.

    Good luck.

  • 0 in reply to Paul Gazo

    Thank you very much Paul.  Glad to know you have resolved your issue. My SPAM Protection in my XG210 is actually disabled. I enabled Spam Protection (without Greylisting) and disable it again but no luck. Still trying to find a resolution...