XG 17.1.0 GA firmware upgrade breaks MTA

I have just tried the upgrade to 17.1.0 GA firmware version, but it breaks MTA.

On the main screen comes up with MTA service DEAD.

Tried reverting to Legacy mode and then back to MTA mode, but that didn't work.

In fact in legacy mode it then reported service SMPTD 'stopped' and one other service I cant recall at the moment.

I see there was a related bug fix in the beta 2 version so thought it would be OK.

But caution if you rely on MTA.

I have reverted to MR8 for now.

  • Hi NH1

    You should console to Sophos XG and check MTA log with command line:

    tail -f /log/awarrenmta.log

    find error and troubleshoot.

  • In reply to Huy Vu:

    I did try to manually start the service from the console with "service awarrenmta:start -ds nosync", but it threw an error, a 503 or something like that I think.

    I should have paid more attention but needed the MTA to be working after being down for the upgrade.

    I am no expert, so the reversion to MR8 to get everything working was the best approach, will wait for a better time before I try again.

    Post was really for the information of others who may also be reliant on MTA.

  • Have you checked the logs with /log/awarrenmta.log ? during service restart attempt (i.e. service awarrenmta:restart -ds nosync) ? I suspect something might be related to certificates. 

  • In reply to UTMGeek:

    For those interested (or who know this stuff better than I) the awarrenmta.log contains the following, and which keeps repeating over the period immediately after the upgrade to 17.1 GA

    As I mentioned, MTA was working fine in MR8, went "DEAD" after upgrade to 17.1 GA, and is fine again after reverting to MR8. I made no changes other than upgrading the firmware.

     

    .................................................................................................../cfs/proxy/smtp/conf/mta.conf: ERROR syntax error
    awarrenmta: /static/proxy/smtp/mta.conf:22: register_protocol: SMTP : /cfs/proxy/smtp/conf/mta.conf
    Total Pages: 1524862 Pagesize: 4 RAM: 5
    ......................................................................................................./cfs/proxy/smtp/conf/mta.conf: ERROR syntax error
    awarrenmta: /static/proxy/smtp/mta.conf:22: register_protocol: SMTP : /cfs/proxy/smtp/conf/mta.conf
    Total Pages: 1524862 Pagesize: 4 RAM: 5
    ............................................./cfs/proxy/smtp/conf/mta.conf: ERROR syntax error
    awarrenmta: /static/proxy/smtp/mta.conf:22: register_protocol: SMTP : /cfs/proxy/smtp/conf/mta.conf
    Total Pages: 1524862 Pagesize: 4 RAM: 5
    ............................/cfs/proxy/smtp/conf/mta.conf: ERROR syntax error

  • In reply to NH1:

    We have encountered same problem. Reverterd to mr8

  • In reply to Michael Štěpař:

    This might be related to issues with certs especially if using the appliance CA (SecurityAppliance_SSL_CA) instead of a server certificate.

    One thing to try is to regenerate the CA on XG and reboot the appliance.

    From Webadmin > System > Certificates > Certificate Authorities > SecurityAppliance_SSL_CA (click on icon next to this CA to regenerate)

  • In reply to FHF:

    We are using letsencrypt

  • In reply to FHF:

    I am using a paid commercial SSL certificate.

  • Hi same problem with MTA is dead I have Exchange 2016, lets encrypt certificates

  • In reply to J Z:

    We use also MTA.

    It is not recommend to update this firmware 17.1.0 GA?

    What are Sophos support saying abuot this issue?

  • In reply to CCMF_FW:

    I think we shouldn't upgrade to 17.1.0 GA until Sophos resolve this issue

  • In reply to Huy Vu:

    For those of you reliant on MTA, I have now upgraded to 17.1 GA successfully.

    It was fixed as suggested above, by going into certificates and regenerating the CA for the Appliance SSL certificate, and then rebooting.

    And of course if it doesn't the 'revert' option worked very well for me to go back to MR8 while I was waiting for a solution.

     

    So I would suggest you could go ahead and try the upgrade, but allow yourself some "offline" time to do the extra steps.

     

    Hopefully Sophos can automate this as part of future upgrades.

  • Hi  

    To update this thread for our community:

    Apologies for the inconvenience caused by this. A KB article has been released to outline what to do to resolve this issue.

    Sophos XG Firewall v17.1: How to workaround the issue when MTA service is in DEAD state after firmware upgrade

    Regards,

  • In reply to FloSupport:

    We just updated our firmware this past weekend to XG230 (SFOS 17.0.8 MR-8) and discovered this issue. In our case both SMTPD and MTA are "dead". We are not currently using either of those services (G Suite shop) but still don't like the dead services filling up the logs. 

    I just attempted the fix suggested here but MTA won't restart (503 service failed) despite regenerating SecurityAppliance_SSL_CA.

    Please advise.