Can't send email with "Scan SMTP" selected

Just upgraded to SFOS 18.0.1 MR-1-Build396 yesterday and now I'm unable to send emails with "Scan SMTP" selected on my firewall rule that my computers and mobile devices are associated with. Did not have this issue with previous versions, although I will admit email reliability has always been spotty with Sophos XG for me (sometimes emails won't send so I have to try again and it eventually works). This time it's consistent, with "Scan SMTP" selected, I get the following error (using iCloud):

Cannot send message using the server iCloud

Connection to the server "p23-smtp.mail.me.com" on the default ports timed out.

As soon as I disable "Scan SMTP", the emails send just fine.

  • Hi Shred,

    did you add the 25, 465 and 587 ports to the rule.

    There is also a setting in the CLI about adding 587 to the SMTP scanning proxy which I can't remember exactly.

    ian

  • In reply to rfcat_vk:

    Yes, the correct services are in the firewall rule (SMTP, SMTP(S), POP, POP3, IMAP, IMAP(S)). However, I did not change any settings when I upgraded to Build396 yesterday.

  • In reply to shred:

    Hi Shred,

    my experience

    1/. previously installed the XG CAs (two)

    2/. shutdown and removed the power from my wife's MBP. She runs both outlook and macmail

    3/. Installed the CAs on my new mac mini, they did not transfer from the failing MBP.

    4/. restarted the mac mini

    5/. was seeing intermittent connection failures on one of my mail accounts ( I have two with the same ISP)

    6/. iPad deleted all CAs and re-installed the CAs from the new XGversion

    7/. deleted the mail accounts from the iPad.ad

    8/. created mail accounts on the iPad and trusted the mail server a number of time, now all working on the iiPad.

    9/. I gave up on the iPhones, because the connection would fail after leaving and returning home. Must try again.

     

     

    Interesting during all this exercise with the CAs, the https decrypt and scan has worked on the MBP and mac mini. iPad, not consistent.

     

    Ian

  • In reply to rfcat_vk:

    I currently have SSL/TLS disabled. It's failing with the "Scan SMTP" (not SMTPS) option, so the XG CA certificates should not matter.

     

    Edit: But speaking of XG GA certs, were they ever updated to meet Apple's new certificate/pinning requirements? I know it was fixed in v17.5-MR9 but I haven't seen it in the changelings for v18.

  • In reply to shred:

    Hi Shred,

    from memory the SSL/TLS does not apply to the mail, proxy, only DPI.

    What I also found was that the mail client became very fussy about which port was in use, so I had to change to port 25 for one ISP.

    What does log viewer show for mail when SMTP scanning is enabled?

    Ian

  • In reply to rfcat_vk:

    Nothing in the logs. This issue seems to be specific to using iCloud (Apple) email.

    With "Scan SMTP" enabled, I cannot send emails from my iCloud account but I can send emails using my Gmail account. I'm using the MacOS Mail client.

    With "Scan SMTP" disabled, I can send emails from both iCloud and Gmail.

     

    I also tried enabling "Scan SMTPS" but I'm still getting pinning certificate errors with iCloud. Has this issue not been resolved in v18? I thought it was fixed in v17 almost 6+ months ago?

  • In reply to shred:

    Hi Shred,

    I am currently not having any pinning issues on the MBP or mac mini.

    Please check the CAs on the XG and delete the expired ones. Most were deleted by Sophos on the last upgrade, but you never know.

    iCloud mail uses port 993 which is IMAPS for incoming and port 587 with STARTLS for outgoing.

     

    Ian

  • In reply to rfcat_vk:

    I don't have any expired Sophos CAs. I regenerated the CA anyways and imported the new ones into all of my devices in hopes that the pinning issue with Apple's new requirements was resolved, but I'm still getting the error when trying to use 'Scan SMTPS'. 

    Yeah I have the SMTP(S) service on the firewall rule that applies to my Apple devices which includes port 587.

    As I mentioned above, with 'Scan SMTP' enabled, I cannot send emails using iCloud (timeout error). With 'Scan SMTP' disabled, I can send emails just fine.

  • In reply to shred:

    Hi Shred,

    I wasn't talking about expired Sophos CAs but expired CAs on the XG, there were a number that did cause issues at one stage.

    I found I have been using DPI for my mail scanning, just change to the proxy, seems to be going okay, but time will tell.

    Ian

  • In reply to rfcat_vk:

    Got it. I don't have any expired CAs on the Sophos XG. Regardless, I don't think that is my issue. As I've mentioned above, I had no issues prior to upgrading to the latest build. No other settings were changed. This is reproducible 100% of the time, so if there's any troubleshooting steps the Sophos team would like me to try, I'd be more than happy to. Otherwise, I'll just leave 'Scan SMTP' disabled for now.