"Sophos Firewall was unable to send the following mail..." after upgrade to (SFOS 17.0.1)

Thank you very much Paul.  Glad to know you have resolved your issue. My SPAM Protection in my XG210 is actually disabled. I enabled Spam Protection (without Greylisting) and disable it again but no luck. Still trying to find a resolution...

You're welcome... but I think the issue isn't with the XG having greylisting enabled.  It's the recipient end, which you have no control over.  I got lucky in that this problem was between two of my customers, so I could work at both ends.

The idea behind greylisting is:

Sending server contacts receiving server.
Receiving server hasn't seen sending server recently (keeps a table), rejects the message with a temporary error code.
Sending server considers this a temporary failures, queues the message for retry.
Time passes.
Sending server retries contacting receiving server.
Receiving server recognizing sending server, accepts the message.

Spammers usually won't retry, if they're using crappy (malware) MTAs, so this technique can help a little bit.  But if the sending server (your XG and my sending customer's XG) can't handle the retries, it turns into a permanent failure.  Nothing you can do at the sending end.

I would recommend opening a case with Sophos if you haven't already, and offer up the experience I've had today.  They should be able to stage it with an XG and an SG and determine which software isn't doing it right.

Thank you for that. I just thought to try it on my end as there are currently 3 domains that we are having an issue with MTA mode on. And you are right, I have opened a case with Sophos since two days ago and still waiting for a callback from the escalation team. In the meantime, this forum has already helped me a lot :)

Update: Sophos Team called me back, however, without the live logs in debug mode there is nothing that can be done. Unfortunately, live logs is not possible at the moment. Sending to Domain1 already worked after enabling legacy mode in Sophos Firewall. That leaves with Domain 2 and Domain3. I cannot use Domain2 as testing because this is an email communication between two directors and Domain3 is more complicated to deal with. So I TEMPORARILY disable MTA mode so that the user can resend his email after waiting for 4 days. Moving forward, I will monitor for any bounced error message in MTA mode and capture the live logs in debug mode then call Sophos Support again.

On a side note: Since my SSL VPN is broken after MR2 upgrade, I will be going back to MR1 later today. I already recreated SSL VPN (Remote Access) from scratch and it is still not working. Again, thank you for everyone who provided assistance on this matter.

Summary and Update:

#1. Due to Mail Flow issue (Sophos Firewall was unable to send the following mail error...), I upgraded to MR2, however, it did not fixed the problem and it broke my SSL VPN (Remote Access).
#2. We are able to finally get a live log in debug mode when another user received the same bounced error message from Sophos Firewall.
@Paul Gazo is right, in Domain#4, we got the error "451 Internal resource temporarily unavailable". Nslookup shows that the MX of this domain is with mimecast. The link community.mimecast.com/.../DOC-1369 explains that the error is refused due to Greylisting. The thing about this is that my end user is able to communicate with these recipients prior to version 17.0 and 17.0.1 upgrade. In fact just a day before the upgrade, my users were able to send emails to these recipients. Anyway, the workaround to sending an email to the recipients now is to enable Legacy mode in Sophos Firewall and resend the message then re-enable MTA mode. 
#3. To regain my SSL-VPN connection, I downgraded to MR1. After the downgrade to MR1, I can no longer send an email to support@sophos.com. The error message is "User profile not configured". Support Team enabled TL1.0 and the emails to Sophos support were delivered.

I have the same issue after deploying a brand new XG 310 with version 17, MR3. Sender receives bounce back message stating email failed to deliver, but yet it was delivered. We called the person that the bounce back messages was referring to and they said they received it just fine.

I submitted case # 7820427.  Hopefully Sophos can figure it out (cross fingers). My first Sophos deployment.

Hi WKEIT 

Are you still working with Sophos Support on this one? My case with Support is still open and ongoing. Unfortunately, I have no additional update other than what I already posted on this page. We are still experiencing the random bounced error message from time to time. As a workaround, I just switch to Legacy Mode so the users can send emails to their recipients. I am still running MR1 due to the VPN issue that I encountered after MR2 upgrade.

Hello,

Yes we resolved our issue with support.  Support was able to assist and found that we had two WAN connection, but both were setup as mains instead of active/backup. Some emails were going out on our secondary ISP that was intended as a backup connection.  The IP on the second connection was a dynamic address issued by ISP, which some email servers/services did not like and blocked the emails from getting through. After it failed, it went out on the primary connection and it was accepted, creating the accept/fail/deliver effect.

I see. I am glad you were able to work it out with Support. As for me, I am still working with Level 2 Support and unfortunately we are still unable to determine the cause of the issue.

Hi,

after upgrade to SFOS 17.0.5 MR-5 version, we had the same problem with some outgoing emails, but then I added our Exchange server to "General setting -> SMTP TLS Configuration -> Skip TLS negotiation" the problem has gone.