Thread Info
  • State Not Answered
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 24 replies
  • Subscribers 30 subscribers
  • Views 52968 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

"Sophos Firewall was unable to send the following mail..." after upgrade to (SFOS 17.0.1)

Graboid$

Device: XG210

Current Version: SFOS 17.0.2 MR-2

Error: 

Sophos Firewall was unable to send the following mail:
Mail delivery to following recipients failed:
xxxxxxx@domain1.com (No error code)

Sophos Firewall was unable to send the following mail:
Mail delivery to following recipients failed:
xxxxxxx@domain2.co.nz - 550 through this server without authentication.

Sophos Firewall was unable to send the following mail:
Mail delivery to following recipients failed:
xxxxxxx@domain3.com - 554: Relay access denied

 

We are previously in communication with the users in these 3 domains before upgrading to version 17.01.

Unfortunately, I cannot determine if it is version 17 or 17.01 that started the problem.

I waited for MR1 before upgrading to 17 then after several hours of testing, upgraded to MR1.

I did a telnet from Sophos' Device console and it shows Sender and Recipient OK.

 

Also, I read through  "Advisory: Sophos XG Firewall email fails to send to servers that only support TLS 1.0" 

Link: community.sophos.com/.../127745

Excerpt from the Link: """ There will be a UI change that will allow the admin of the firewall to disable/enable TLS1.0 for email communication.

Email behavior will change when TLS cannot be correctly negotiated and will fall back to plain text.

Fix to be released in v17 MR2."""""

 

Based on the Advisory, I am unable to find the UI to disable TLS1.0.

So I upgraded to MR2 as the release notes shows that the Mail Flow issue will be fixed.

Excerpt from Release Notes: ---"NC-22921 [Mail Proxy] Email flow is affected for recipients using TLS1.0"---

However, even after upgrade to MR2, it it still the same issue.

 

Additional Info:

Email Server: On-Premise Exchange Server 2016

Confirmed that Mail Flow has no issues. I have checked the Exchange logs and I have monitored the Exchange queue when sending emails to these domains. 

All emails were sent through from the Exchange Server side and I did not get stuck emails in the Exchange queue (which is normally the case). 

I only started getting these Sophos Firewall bounced back error messages after the upgrade to 17.01.

 

I called Sophos support for assistance but there is no resolution.

I really need assistance on this issue as the emails needs to be sent urgently.

Thank you very much for the support in these community forums.



This thread was automatically locked due to age.
Parents
  • 0

    Under Email go into General Settings.

    In the SMTP TLS Configuration section, untick Disable Legacy TLS protocols or add the remote mail servers that are failing to the Skip TLS Negotiation list.

  • 0 in reply to ChrisKnight

    Originally disabled so I have tick and untick "Disable Legacy TLS protocols" before MR2 and even after Mr2.

    Under Skip TLS negotation, I am not sure how to add the recipient's MX records as per the Advisory.

    Thanks.

  • 0 in reply to Graboid$

    Summary and Update:

    #1. Due to Mail Flow issue (Sophos Firewall was unable to send the following mail error...), I upgraded to MR2, however, it did not fixed the problem and it broke my SSL VPN (Remote Access).
    #2. We are able to finally get a live log in debug mode when another user received the same bounced error message from Sophos Firewall.
    @Paul Gazo is right, in Domain#4, we got the error "451 Internal resource temporarily unavailable". Nslookup shows that the MX of this domain is with mimecast. The link community.mimecast.com/.../DOC-1369 explains that the error is refused due to Greylisting. The thing about this is that my end user is able to communicate with these recipients prior to version 17.0 and 17.0.1 upgrade. In fact just a day before the upgrade, my users were able to send emails to these recipients. Anyway, the workaround to sending an email to the recipients now is to enable Legacy mode in Sophos Firewall and resend the message then re-enable MTA mode. 
    #3. To regain my SSL-VPN connection, I downgraded to MR1. After the downgrade to MR1, I can no longer send an email to support@sophos.com. The error message is "User profile not configured". Support Team enabled TL1.0 and the emails to Sophos support were delivered.

  • 0 in reply to Graboid$

    I have the same issue after deploying a brand new XG 310 with version 17, MR3. Sender receives bounce back message stating email failed to deliver, but yet it was delivered. We called the person that the bounce back messages was referring to and they said they received it just fine.

     

    I submitted case # 7820427.  Hopefully Sophos can figure it out (cross fingers). My first Sophos deployment.

  • 0 in reply to WKEIT

    Hi  

    Are you still working with Sophos Support on this one? My case with Support is still open and ongoing. Unfortunately, I have no additional update other than what I already posted on this page. We are still experiencing the random bounced error message from time to time. As a workaround, I just switch to Legacy Mode so the users can send emails to their recipients. I am still running MR1 due to the VPN issue that I encountered after MR2 upgrade.

  • 0 in reply to Graboid$

    Hello,

    Yes we resolved our issue with support.  Support was able to assist and found that we had two WAN connection, but both were setup as mains instead of active/backup. Some emails were going out on our secondary ISP that was intended as a backup connection.  The IP on the second connection was a dynamic address issued by ISP, which some email servers/services did not like and blocked the emails from getting through. After it failed, it went out on the primary connection and it was accepted, creating the accept/fail/deliver effect.

  • 0 in reply to WKEIT

    I see. I am glad you were able to work it out with Support. As for me, I am still working with Level 2 Support and unfortunately we are still unable to determine the cause of the issue.

  • 0 in reply to Graboid$

    Hi,

    after upgrade to SFOS 17.0.5 MR-5 version, we had the same problem with some outgoing emails, but then I added our Exchange server to "General setting -> SMTP TLS Configuration -> Skip TLS negotiation" the problem has gone.

  • 0 in reply to Ramunas Leskauskas

    Hi Ramunas,

    Thank you for sharing your resolution. I did the same setting in MR1 and MR5 but we still get the occasional bounced error message. Sophos Support has confirmed that the bounced error in Sophos Firewall MTA Mode is an issue when the recipient mail server has greylisting enabled. I am still using the workaround which is to temporarily enable Legacy Mode to send an email to such recipient and turn MTA mode back on again. Excerpt from Support Email = "I reviewed the issue several times, and found the only possible cause of issue is a known bug on XG firewall, internal ID NC-27240. NC-27240 makes the XG firewall fails to send an outbound email when the recipient mail server has greylisting enabled. NC-27240 will be fixed in XG firmware v17 MR6...)

  • 0 in reply to Graboid$

    New update, new problems as always :)

  • 0 in reply to Graboid$

    Have you updated since the release of MR6 and was your problem corrected in that version?

  • 0 in reply to WKEIT

    Hi WKEIT, I have NOT updated to MR6 yet, still running MR5. Thank you.

Reply Children
No Data