XG18: MTA mode and port 465/587 for TLS/SSL Email protection

Hi together,

On my XG18 (with default config) I can send emails from LAN to Sophos MTA only on port 25. 

How can I setup XG18 to receiver emails over TLS/SSL on port 465 or 587?

The Sophos MTA seems only listening on port 25.

Thanks a lot.

Many greetings
Felix

  • Hi  

    You may add below command for port 587.

    console> set service-param SMTP add port 587

    MTA support on port 465 has been identified as a feature request. 

    You may raise a feature request or thread on our idea portal (https://ideas.sophos.com/)

  • In reply to Vishal_R:

    Hi Vishal,

    Thanks for your quick reply.

    Unfortunately, It doesn't work. I can not connect to MTA on port 587, regardless with SMTP or SMTP-SSL.

    Any further ideas?

    Thanks a lot.

    Many greetings
    Felix

     

    console> show service-param
    Service Ports
    ------- -----
    SMTPS 587
    ------------------------------------
    Other Configurations:
    HTTPS invalid-certificate: block
    HTTPS deny_unknown_protocol: off
    SMTPS invalid-certificate: allow
    MTA mta mode: on
    MTA auth relay: on
    SMTP notification-port: 25
    SMTP strict-protocol-check: off
    SMTP Failure notification: on
    ------------------------------------

  • In reply to FelixSteinbeis:

    Hi  

    In the command there is minor correction or update. 

    Please revert the previous applied command with this one: console> set service-param SMTPS del port 587

    Please use this one : console> set service-param SMTP add port 587

    Also ensure auto MTA rule has SMTPS service with port 587 added in the rule.

  • In reply to Vishal_R:

    Hi Vishal_R,

    Thanks again.

    I have deleted SMTPS port 587 and added SMTP port 587. The rules are like in your screenshot.

    Now I can connect to port 587, BUT only with SMTP or SMTP STARTTLS.

    What I want is connect SMTP directly with TLS/SSL.

    Any other possibility/settings?

    Thanks a lot.
    Felix

  • In reply to FelixSteinbeis:

    Hi  

    By default MTA listens on Port 25 (for plain & STARTTLS ) .As you add port 587 via CLI command it started listening on 587 as well for STARTTLS.

    Port 465 (direct TLS ) not supported in MTA mode.

  • In reply to Vishal_R:

    Hi Vishal_R,

    Thanks for your answer.

    Then it's seems as works as designed.

    Is Port 465 with direct TLS coming soon?

    In this KB article from 20 Feb 2020 community.sophos.com/.../123118 I find the following information:

    "Sophos XG Firewall inspects all SMTPS traffic over these standard ports by default:

    Port 25/587 for STARTTLS ESMTP extension
    Port 465 for SSL/TLS on SMTP"

    So I thought, thats currently working.

    Many greetings
    Felix

  • In reply to FelixSteinbeis:

    Hi  

    The KBA which you referring is related XG deployment in "Transparent Proxy". So will submit the request KB team to add details in that KBA with XG mail proxy or service deployment mode to avoid confusion.

    In MTA currently supported/listening port details is as per my last comment.
     

  • In reply to Vishal_R:

    Hi Vishal_R,

    Thank you!

    Many greetings
    Felix