Email Smart Host not working?

I have tried to set up the outgoing email Smarthost in Email > General Settings and then tried to test it.

I configured one of the mail servers to use the XG box as a smart-host rather than the ISP smart host.  I also configured XG using the tickbox "use smarthost" and configured the smarthost as it was configured in the mail server.  I also remembered to update the device-access table so the mail server was allowed SMTP relaying.

I then sent a test email through the mail server which then tried to send it using XG.

The test email (tested 3 times), would sit in the Mail Spool as Queued and then change to Failed.  I tried retrying each email about 5 times before deleting it, each retry was no success. 

I then reverted the mail server outgoing smart host back to the ISP smart host (which it was on previously) and retried sending the email.  This worked perfectly.

My XG is in MTA mode, with 2 incoming SMTP profiles that are working well.
I upgraded from 16.05MR7 to 17-Beta1 without any issues and everything seems to be working as expected.

The smart-host only requires a connection to the host on port 25 and does not require any authentication (it is the ISP smarthost and they use other security to only allow relaying from systems connected to their services).

 

Thanks

Ian

 

 

 

 

 

 

 

  • It works on my end. My smarthost requires port 587 along with authentication. Double check your ISP requirements on their incoming SMTP connections. 

    Your ISP is allowing relay from their IP pool without authentication which is fine. Wish the logging was more verbose on XG to actually see whats going onGeeked

     

    EDIT: You can try going through awarrenmta.log in /log directory but there is a lot of clutter with messages of ciphers etc...

    tail -f awarrenmta.log may give you some hints if you want to retest.

  • In reply to Billybob:

    Hi,

    Please run mta service in debug mode: service awarrenmta:debug -d -s nosync

    And share the awarrenmta.log

  • In reply to Billybob:

    Thanks for the suggestions.

    I have been using the ISP smart host on the upstream mail server for about 18months now (it doesn’t have very good AV integration).

    I copied all of the settings from that server and checked them against published configuration with no luck.

    Putting those settings back into the upstream mail server worked so it wasn’t a settings issue unfortunately!

  • In reply to deeptibhavsar:

    I will do this and let you know the results.

    Thanks

  • In reply to Ian Rogers:

    Hello Ian

    I use the smart host feature for relay with Port 25 to my upstream e-mail delivery service, also authentication is configured - it works well on my side.
    My Sophos is running on a VM (KVM) system.

    I enabled SMTP relay functionality on the WAN Interface via System -> Administration -> Device Access, but no further rule was needed to send E-Mail outbound.

    My Setup looks like:

    LAN (Mail clients) ----- FW-DMZ ------ Mailserver ------ FW outbound in MTA mode ------ Internet with upstream delivery service

    The mail client send mails to the Mailserver sitting in the DMZ, the Mailserver send mails to the Sophos Mail MTA, the Mail MTA send mails via Smart-host to the upstream service.

     

     

  • In reply to Billybob:

    Hi Have a simmilar issue. I updated two Sophos XG 16 to 17 Beta 1. On both I have the problem, that when I activate the smarthost, all mails are bounced.

    If I use the same smarthost settings for Notification (Administration - Notification Settings), I can send my notifications. But not if I use the Internal Mail Server option with Smarthost Enabled.

     

    Any ideas?

     

    Thanks

  • In reply to StefanBoldt:

    Hi StefanBoldt ,

    csc custom debug

    take logs /log/csc.log /log/cschelper.log

     

    You can use below command and copy to linux machine

    SG135_XN01_SFOS 17.0.0 Beta-1# scp <Source_File> <Username>@<server_ip>:<Destination_Folder>/

    SG135_XN01_SFOS 17.0.0 Beta-1# scp applog.log qa@10.198.36.170:r/

    You can also copy the logs from screen

  • In reply to deeptibhavsar:

    Hi StefanBoldt,

    Meanwhile, Please share your setup details and firewall configuration details.

    Also check the drop-packet-capture , when you are sending mail with smart host enable

  • In reply to deeptibhavsar:

    deeptibhavsar

    Hi,

    Please run mta service in debug mode: service awarrenmta:debug -d -s nosync

    And share the awarrenmta.log

     

     

    I have sent a PM with regards to where you want the awarrentmta file sent

  • In reply to Ian Rogers:

    I think this section may be pertinent to the issues:

    ERR   Oct 05 21:06:29 [T___WORKER]: ct_do_work: write failed: Connection refused
    MSG   Oct 05 21:06:29 [0xc0000075]: spam scanning failed,unable to connect local ctasd
    INF   Oct 05 21:06:29 [T___WORKER]: matchpolicy: sender profile is avail
    INF   Oct 05 21:06:29 [0xc0000075]: SCANCONTENT AV: 4 TFT: 0 DLP: 0 SANDSTORM: 0
    ERR   Oct 05 21:06:29 [T___WORKER]: ensure_avd_connection(): connect_to_av_server() failed
    ERR   Oct 05 21:06:29 [0xc0000075]: VirusScan: Failed for Session c0000075
    MSG   Oct 05 21:06:29 [0xc0000075]: S='###SENDERADDRESS###' R='###RECEIVERADDRESS###' subject='Test' Size='3657' Status='Mail delivery failure. Could not connect to Anti-Virus Service.'

     

    If you need the rest of the file, please let me know

  • In reply to Ian Rogers:

    Hi lan,

    Thank you for the logs. Detail logs would be great, already asked for the info on PM

    Thank you

  • In reply to deeptibhavsar:

    Apologies for the delay. 

     

    Log files just sent.

  • In reply to Ian Rogers:

    Hello,

     

    Just an update:

    * I have tried with RC1 installed and there is no change.

    * I have installed another copy of the mail server temporarily to test the smart host/mail relay functionality.
    This was effectively configured as per the ISP (Allow Relay for specific IP on Port 25, no authentication required).  XG relayed the email correctly through this 'smarthost'

    * Device Access page is configured to allow SMTP from WAN and LAN addresses.

    * The main mail server happily delivers to the ISP SMTP relay using port 25, ISP IP pool authentication and FQDN address for the server bypassing the XG relay service. (there are no IPv6 Addresses for the ISP relay as I have HE tunnelbroker running for IPv6) 

     

    **EDIT**

    * I have just tried a different internet based SMTP smart host (I can access using a terminal connection), but I get the same failure message.  This was using port 25 and username/password authentication. They also allowed TLS on 587, and SSL on 465.  Neither of which worked either.

    * I have just tried the same Smart Host using its IP Address rather than FQDN with no luck.

     

    I hope this helps

    Ian

  • In reply to Ian Rogers:

    Hi Ian,

    Thank you for the sharing the details and extended help.

    We found that, in Email General Settings, for SMTP "Allow Invalid Certificate" is disabled, and the certificate coming from Smart host to Appliance is selfsigned certificate, which is getting denied as per configuration.

    You can import CA into the appliance to resolve the issue.

    The other thing, we found that, some of the mail server connecting to appliance MTA, is coming with TLS 1.0. We have disabled the TLS 1.0 by default  in SFOSv17, to make the security strong and remove week version compatibility NC-21678.

    Yes, we are doing improvement to make logging strong, so admin can come to know the mail drop reason,NC-17262 and this is planned to fix in SFOSv17 MR1.

     

    Regards,

    Deepti Bhavsar

  • In reply to deeptibhavsar:

    Thank you for this.

     

    Is there a requirement to use SSL/TLS on this smart host?

     

    The previous smart host I tried did not allow any encryption at all and had to be a basic connection?

     

    Will there be any option to select what encryption is to be used for the smart host?

     

    Thanks

     

    Ian