Wrong public IP address is used for email communication - MTA

Hello everyone,

 

We use a Sophos XG230 at a customer. At the moment, we got big problems in email communication over the sophos. I will try to explain it:

 

The internal exchange server send all emails through the firewall to the internet. The sophos xg is configured as MTA. The sophos has one WAN-Interfaces (Port 2) which looks like this:

We connect via PPPoE and we have an IP address on this interfaces, for explanation, i will use a simple example address: 1.1.5.5

We have also three other IP adresses on this interfaces: 1.1.10.1, 1.1.10.2, 1.1.10.3 (Port2.0, Port2.1, Port2.2)

 

The IP address 1.1.5.5 is used e.g. web surfing. For the emailing, we have the firewall policy "Auto added firewall policy for MTA". In this policy, we configured under "routing" "rewrite source address (masquerading)" and "use outbound adress": "WAN-IP-1.1.10.2". The mx-record for the customer domain (exchange.customer.de) is also pointing on this IP-address (1.1.10.2).

 

The problem is:

Sometimes, the right IP address (1.1.10.2) is used for the email communication. But also sometimes, the wrong IP address is used (1.1.5.5). The email leaves the firewall with this wrong IP adress and the destination mail server rejects this emails. The email-sender (our customer) is getting an non-delivery report and in the mail logs, we can see this email with the status "bounced", and when I do a mouse over over this status, there is following information written:

R=default_mx_router T=remote_smtp H=mail.<destination-domain>.<TLD> [<IP address of the destination mail server>]:25 I=[1.1.5.5]:39672 ><…………other information………..>: SMTP error from remote mail server after end of data: 550 Administrative prohibition

 

If the customer send a email to me and i check the mail logs on our firewall, I can see the same:

Sometimes, the customer-email comes from the correct IP address 1.1.10.2, but sometimes from the IP address 1.1.5.5

 

 

We already contaced the support, but we all cannot find the error. I really hope, that someone of you can help us with this problem, its very urgent, because there are a lot of emails which get the status "bounced" because of this error.

 

 

If you need some other information, please tell me.

 

 

Thank you very much!

  • Hi  

    Thank you for the detailed post, it would be great if you could message us the service request number which you have opened with the support, I will check the history of the case and finding from the support team.

  • Do you already use V18? Because in V18, you could easily build a SMTP SNAT Rule to force XG to use the correct IP.

    In v17, you have to build a SMTP Business Application Rule with SNAT.