Cannot use Exchange rules to redirect messages from my Exchange to external contatcs - Sophos Central Email Gateway

Hello everyone,

All our external e-mails are receive/send by Sophos Central Email gateway and after, it delivery the messages. This is working normally as we expect. But few days ago we are facing something strange, when we make a rule on our Exchange Server to redirect messages received from a internal client to a external contact (for example: user@internaldomain.com forward to contatc@externaldomain.com) we receive a message from Sophos like this:

I will try to translate:

 

Your message was not delivered because security or safety issues. It may have been rejected by a moderator, you may only receive emails from certain senders, or another restriction prevented a delivery.
The following is an organization that rejects your message: relay-us-east-2.prod.hydra.sophos.com.

Diagnostic information for administrators:
Generating server: "our server name" Total retry attempts: 1
 
user@externaldomain.com
relay-us-east-2.prod.hydra.sophos.com
Remote Server returned '550 5.7.1 Rejected command'
 
 
 
Looks like the message goes to Sophos and Sophos reject it. We don´t know how to resolve this.
If we send a message from user@internaldomain.com to contact@externaldomain.com, the contact receives the message. If the message is from inside my organization the redirect works, if the message is from outside my organization, the redirect does not work.
 
The problem occurs only we use rules on our Exchange.
 
Thanks.
 
Marcelo.
 
  • Hi  

    If you still facing this issue, I would request you to contact our support with the actual bounce email that you received along with the sent mail. If you already please do DM me so that I can follow up with it.

  • Hi Marcelo,

    We are experiencing a similar problem ever since April 1st.  Let me see if I can explain.  We are using SOPHOS email for incoming and outgoing filtering.  We have a shared mailbox (shared@ourdomain.com) on exchange online that is set to forward to an external contact (external@theirdomain.com).  We set this up within the exchange administrator, NOT within the mailbox settings.  When someone internal (joe@ourdomain.com) sends an email to this shared mailbox (shared@ourdomain.com) exchange will forward it to external@theirdomain.com and it works great.  This is how it should work and this is how it IS working.  However, the problem comes when someone from OUTSIDE of our domain sends an email to this shared mailbox.  For example, customer@gmail.com sends an email to shared@ourdomain.com.  Sophos shows the email was delivered successfully to shared@oudomain.com, but then it disappears.  I changed the forwarding so that it would leave the forwarded messages in the shared@outdomain.com mailbox while still attempting to forward.  That was when I discovered a NDR error message.  Its giving a Status code: 550 5.7.1 Command rejected.

    At this point I am not completely sure that it is SOPHOS that's causing it, but the error looks similar to when SOPHOS doesn't have a mailbox setup for a user and they try to send through it.  I did confirm that shared@ourdomain.com is setup.  That was when I saw this post and now I am wondering if it is SOPHOS being that there was a recent update this week and others with SOPHOS are having a very similar issue.

    I wanted to post here so the OP and others were aware that they weren't the only ones with the issue.  I will also continue to troubleshoot and submit a ticket to SOPHOS support as well.  Hopefully there is a simple fix or workaround.

    Thanks.

  • In reply to Isaac R:

    Hello Isaac.

     

    The problem is the way that Exchange server redirects the messages, if a check the e-mails headers, for example an e-mail sent from GMAIL to us, the message was delivery internally and the rule to redirect does not work. After view the header of the return e-mail with the "Status code: 550 5.7.1 Command rejected", the messages was with a SPF error, the message was from GMAIL and the IP that was trying to delivery the message was mine - Sophos E-mail Gateway "think" that GMAIL was trying to sent e-mails from our IP. Because of this, the messages were reject by Sophos.

    We have not find a solution for this case.

    I had to create a secondary relay and send some e-mails to this external domain by it. Our rule to redirect e-mail was only to a single domain (from x to y).

    Exchange Server 2013. With other versions we do not know if it happens.

     

    Sorry about the English.

    Marcelo.

  • In reply to Marcelo Gladzik:

    Marcelo Gladzik

    Hello Isaac.

     

    The problem is the way that Exchange server redirects the messages, if a check the e-mails headers, for example an e-mail sent from GMAIL to us, the message was delivery internally and the rule to redirect does not work. After view the header of the return e-mail with the "Status code: 550 5.7.1 Command rejected", the messages was with a SPF error, the message was from GMAIL and the IP that was trying to delivery the message was mine - Sophos E-mail Gateway "think" that GMAIL was trying to sent e-mails from our IP. Because of this, the messages were reject by Sophos.

    We have not find a solution for this case.

    I had to create a secondary relay and send some e-mails to this external domain by it. Our rule to redirect e-mail was only to a single domain (from x to y).

    Exchange Server 2013. With other versions we do not know if it happens.

     

    Sorry about the English.

    Marcelo.

     

     

    Hi Marcelo,

     

    Can you let me know how did you route those specific emails through the secondary relay?

     

    I'm having the same exact issue with no help from the support.

     

    Thanks.

  • In reply to Marcelo Gladzik:

    We now have the same Issue Marcelo. Once we started sending outgoing email thru SOPHOS Centaral, delivery to all external recipients that are configured in distribution groups appears to get rejected by the recipients email systems. Bypass SOPHOS on outgoing email and it works perfectly fine. So the recipient systems are rejecting external "Grouped" recipients due to something that is taking place in SOPHOS.

    This is Exchange 2010 on-premise routing thru SOPHOS UTM email proxy and then thru SOPHOS CENTRAL. All works great until we set SOPHOS CENNTRAL as upstream gateway for outgoing. I might add that if we send directly to individual external contacts, delivery to that contact seems to succeed. It only appears to be distribution group related.

    I do not see this as an Exchange or Recipient issue. This is a SOPHOS issue.

    What is the solution for this other than not use SOPHOS?

  • In reply to Jon Lockwood:

    Hi John.

     

    I did not have a solution from Sophos support. They said to me that the way that Exchange was redirecting the messages was wrong (I think the e-mail header), so Sophos Central rejects the message. My solution was to create a secundary send connector to relay messages from my internal domain to specific external domain.

    After that I could use the Exchange rules to redirect from internal@localdomian.com to external@externaldomain.com.

    This is a strange behavior from Sophos.

  • In reply to Marcelo Gladzik:

    Appreciate the fast response Marcelo.

    I do not mean to come off rude at all; however, that response from SOPHOS is complete &^$&*^%^$... I think you know what I mean. What they are essentially saying, without saying it, is that our product cannot properly handle this because we have not really thought it thru. External recipients and groups have existed forever.

    To simply say that the way exchange is redirecting messages is wrong is a cop-out. The recipient systems in our case have no issue with the exchange redirects. Bypass SOPHOS and end-to-end delivery is not a problem... What SOPHOS does in-between is the problem.

    To be clear here, I have been using SOPHOS (Previously Astaro) products for more than a decade. I think they are headed in the right direction with SOPHOS Central though it is FARRRRR from being a polished product.

    My email organization is Exchange 2010 on premise. I route all outgoing email thru a SOPHOS UTM email proxy/gateway as a layer of security at the perimeter. I set the UTM to use SOPHOS CENTRAL as its outgoing SMTP path. If I just use Exchange and/or the UTM for delivery there is no issue so clearly there is nothing wrong with how Exchange is redirecting the messages. The UTM has no issue with it. More importantly the recipients email systems have no problem with it.

     The suggestion by SOPHOS to bypass all outbound security for any DNS namespace that happens to be part of an external contact group is a really poor and disingenuous answer. We need to hold SOPHOS to a higher standard. Rather than they convince us to subvert ours... After all, we pay the bills.

     

    Cheers

  • In reply to Jon Lockwood:

    Hi  

    Sorry for the inconvenience caused! Could you please message us the service request number you have opened with the support?

  • In reply to Keyur:

    We have this in under CASE ID 9852394.

     

    Cheers!

  • In reply to Jon Lockwood:

    Hi  

    Thank you for sharing the case ID, I will check the details further.

  • In reply to Keyur:

    is there any update on this?? We are experiencing the same issue and it looks like it just started 3 weeks ago. this was working fine all year..