External Mail Server secured over XG Firewall

Hi

There is a document (Pocket Guide) "Protect Cloud-hosted Email Server (MTA Mode)" Sophos Document, which I studied but I have a few understanding problems. I think it isn’t only the difference between V17 and V18 of SFOS from the XG Firewall.

I have a collection of different domains from the past. These are personal and business ones. To collect them on one place I made “privat.local” mail server, which is also my domain within the LAN area.

My mails from the provider 1 are only on the servers of this provider with a lot of SPAM.

I want to transfer all incoming mails over my firewall before they arrive the mail server of provider 1.

Short network plan:

Net Base Mail Situation.pdf

The first step is already done, with the change of the MX Record. I have to records with different priorities. The highest is the WAN address on my firewall.

In the pocket guide as shown above are 6 steps to do this for cloud-hosted Email servers. I think this is the same for a normal email provider.

Step1:   Switch to MTA Mode -> Is standard on my FW

Auto added firewall for SMTP/SMTPS is active

Step2:   Enable SMTP Relay from WAN -> was ON and no mails gone through to my mail provider, switched it back.

Step3:   Configure SMTP TLS Certificate -> seems to have a understanding problem
I download the PEM and KEY Data from my provider for the mail.privat.com. It’s with “Lets Encrypt” as authority signed. By this certificate I have a red x by the Authority. I would interpret that the Certificate authority is missing.

I found one with the filter “let” but it’s called different.

I have on my provider side 3 typs of certificate. The CRT (PEM), the KEY and CABUNDLE.

IS THAT CORRECT THAT I HAVE TO ADD THE “CABUNDLE” TO THE “CERTIFICATE AUTHORITY”?

Step4:   Configure Global Email Settings -> I have here just added my SMTP hostname the rest is standard Sophos.

SMTP TLS configuration should be clear. I used my own provider hostname certificate.

Step5:   Scan and Filter Inbound Emails -> By the SMTP Policy I used my personal domain (private.com) located by my provider. I have also a business domain (business.com).

By the General settings of the email is only 1 SMTP Hostname possible. I have at least 2. Is it possible to add the second and more to the protected domain list, if I route with MX RECORD?

The Spam and Malware protection not relevant at the moment.

Step6:   Scan and Filter Outbound Emails -> This point I don’t understand. I have already an external mail server and the connection to this server with outlook works already without setting of these parameters. It could also be that this is just for an cloud-based mail server, or is there a misunderstanding from my side?

Thanks

Wolfgang

Parents
  • Hello Wolfgang,

    Thank you for contacting Sophos Support.

    Step 1 MTA should be the default, which also created the default MTA firewall rule. 

    Step 2 You would need to enable SMTP on WAN if you want the XG to be able to accept and relay email 

    Step 3 If you hover the X it should tell you which CA is missing. Also, try adding the Bundle if the CA is already in the XG. 

    Step 4 Looks good for me

    Step 5 Yes you can add more domains to the Protected domain lists 

    Step 6 This setting is for outbound email, usually, you would add here your internal Email Server (Exchange) so the XG knows that this host is authorized to relay email outbound (Don't set ANY as this would cause your XG to be an Open Relay to anybody)

    Regards,


     
    Emmanuel (EmmoSophos)
    Community Support Engineer | Sophos Technical Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Hi Emmanuel

    Step 3 is now solved. I added the CA-Bundle as PEM to CE as Letsdecrypt and now i got the green OK sign.

     

    So far is everything ok.

     

    I set the SMTP Relay on "Device access" for the WAN port and for my privat.com mail account the mails will get queued and visibile on "Mail spool".

    There is the message with the status "Queued" and after a time I get the status "Failed". That means the mail will not send to my mail account at privat.com.

    Just to clarify:

    At -PROTECT/Email/General settings- SMTP settings is my personal mail account as SMTP hostname set

    and SMTP TLS configuration the TLS certificate is set to my personal domain certificate "aaaPRIVAT". At POP and IMAP TLS configuration is just "SecurityApp..." selectable.

    My SMTP policy looks as described on my first post. I just added on "Protected domain *" an Address group with the domains privat.com and business.com and activated "Spam protection" and "Malware protection". I think the protection work, because one mail was already marked with the prefix "[SPAM]".

    From my point of view, everthing should be ok. The only part which isn't really clear is the "Relay settings".

    Are the Relay settings just for *.local (LAN Area) relays or also for WAN -> XG Email -> WAN transactions?

     

    On the automatic set FW Rule for SMTP/SMTPS is a NAT rule placed with SNAT on MASQ the rest is blocke to change.

    Thanks Wolfgang

Reply
  • Hi Emmanuel

    Step 3 is now solved. I added the CA-Bundle as PEM to CE as Letsdecrypt and now i got the green OK sign.

     

    So far is everything ok.

     

    I set the SMTP Relay on "Device access" for the WAN port and for my privat.com mail account the mails will get queued and visibile on "Mail spool".

    There is the message with the status "Queued" and after a time I get the status "Failed". That means the mail will not send to my mail account at privat.com.

    Just to clarify:

    At -PROTECT/Email/General settings- SMTP settings is my personal mail account as SMTP hostname set

    and SMTP TLS configuration the TLS certificate is set to my personal domain certificate "aaaPRIVAT". At POP and IMAP TLS configuration is just "SecurityApp..." selectable.

    My SMTP policy looks as described on my first post. I just added on "Protected domain *" an Address group with the domains privat.com and business.com and activated "Spam protection" and "Malware protection". I think the protection work, because one mail was already marked with the prefix "[SPAM]".

    From my point of view, everthing should be ok. The only part which isn't really clear is the "Relay settings".

    Are the Relay settings just for *.local (LAN Area) relays or also for WAN -> XG Email -> WAN transactions?

     

    On the automatic set FW Rule for SMTP/SMTPS is a NAT rule placed with SNAT on MASQ the rest is blocke to change.

    Thanks Wolfgang

Children
  • Hello Wolfgang,

    Thank you for the follow-up.

    Basically that option is for Hosts and Network that can use the XG as a mail relay.

    In other words who can connect to the XG and send emails through MTA mode. 

    For example at home, I have my Exchange Server 10.10.10.100, so this is the IP I use there. 

    People who use O365, for example, would need to put the IPs of O365 so o365 can relay email trough the XG, so email flow for outbound would go:

    O365 >> XG >> outbound domain. 

    For the issue with the email "Queued" and after a time I get the status "Failed", please provide the output of the /log/smtpd_main.log 

    Regards,

     


     
    Emmanuel (EmmoSophos)
    Community Support Engineer | Sophos Technical Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • The smtpd_main.log shows following message, which is always the same for every mail address on privat.com.

    1439 Considering: wolfgang@privat.com                                   
     1439 unique = wolfgang@privat.com                                       
     1439 LOG: retry_defer MAIN                                                     
     1439   == wolfgang@privat.com routing defer (-51): retry time not reached 2020-09-03 20:35:11.350 [1439] B3JNRW-Zgelol-3G == wolfgang@privat.com routing defer (-51): retry time not reached                                       
     1439 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>                    
     1439 After routing:                                                            
     1439   Local deliveries:                                                       
     1439   Remote deliveries:                                                      
     1439   Failed addresses:                                                       
     1439   Deferred addresses:                                                     
     1439     wolfgang@privat.com                                            
     1440 LOG: skip_delivery MAIN                                                   
     1440   Message is frozen                                                       
    10546 1 queue-runner process running                                            
     1511 LOG: skip_delivery MAIN                                                   
     1511   Message is frozen                                                       
     1512 LOG: skip_delivery MAIN                                                   
     1512   Message is frozen                                                       
     1513 LOG: skip_delivery MAIN                                                   
     1513   Message is frozen                                                       
     1514 LOG: skip_delivery MAIN                                                   
     1514   Message is frozen                                                       
     1515 LOG: skip_delivery MAIN                                                   
     1515   Message is frozen                                                       
     1516 LOG: skip_delivery MAIN                                                   
     1516   Message is frozen                                                       
     1517 LOG: skip_delivery MAIN                                                   
     1517   Message is frozen                                                       
     1518 locking /sdisk/spool/output//db/retry.lockfile                            
     1518 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>                          
     
    XG135_XN03_SFOS 18.0.1 MR-1-Build396#

  • Hello Wolfgan,

    Thank you for the follow-up!

    If you go to:

    cd /var/spool/output/db

    ls -lh

    You would see somefiles in there, those are the locked files.

    By running the commands below you should be able to remove the lockfiles 

    rm -f retry.lockfile

    rm -f wait-remote_smtp.lockfile

    rm -f wait-static_smtp.lockfile

    Then you need to restart the SMTPd services

    service smtpd:restart -ds nosync

    Just to clarify, privat.com domain email is behind the XG, correct?

    Regards,


     
    Emmanuel (EmmoSophos)
    Community Support Engineer | Sophos Technical Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • I am just do the removal of two files

    retry and retry.lockfile

     

    privat.com is by my provider in the internet (WAN).

     

    I have just the mail clients in the LAN area and an internal mail server, which i use just to fetch specific mails and i call him mail.privat.local and this is also my AD domain.

  • Sorry, i just deleted the retry.lockfile not both files.

    After the restart command I made on the mail spool a retry for 2 mails and they are still in the spooler and i have again a retry.lockfile in the db folder.

    XG135_XN03_SFOS 18.0.1 MR-1-Build396# cd /var/spool/output/db                   
    XG135_XN03_SFOS 18.0.1 MR-1-Build396# ls -lh                                    
    -rw-r--r--    1 root     0          12.0K Sep  3 16:44 retry                    
    -rw-r--r--    1 root     0              0 Sep  3 00:03 retry.lockfile           
    XG135_XN03_SFOS 18.0.1 MR-1-Build396# rm -f retry.lockfile                      
    XG135_XN03_SFOS 18.0.1 MR-1-Build396# ls -lh                                    
    -rw-r--r--    1 root     0          12.0K Sep  3 16:44 retry                    
    XG135_XN03_SFOS 18.0.1 MR-1-Build396# service smtpd:restart -ds nosync          
    200 OK                                                                          
    XG135_XN03_SFOS 18.0.1 MR-1-Build396# ls -lh                                    
    -rw-r--r--    1 root     0          12.0K Sep  3 16:44 retry                    
    -rw-r--r--    1 root     0              0 Sep  3 21:40 retry.lockfile           
    XG135_XN03_SFOS 18.0.1 MR-1-Build396# 
     
  • Why is the sending from the mail spooler locked?

    Could it be that i use in the SMTP policy for route by "MX" instead "DNS host" or "Static host"

     

    My MX Record for privat.com has two lines

    Line1 is to route to the XG Firewall WAN IP with Priority 1  --> This part works

    Line2 is to route to my hosted mail server IP with Priority 2 --> This worked before i changed the Device access with "SMTP Relay"

     

    Could it be that by using MX mail will routed to the XG Firewall again, due to the priority settings?

  • I changed the settings in the SMTP/SMTPS Policy.

    "Route by" is now

    "DNS host" with "DNS hostname" mail.privat.com

     

    Now it works :)

  • Hello Wolfgan,

    Thank you for the follow-up and for sharing what finally solved the issue.

    Regards,


     
    Emmanuel (EmmoSophos)
    Community Support Engineer | Sophos Technical Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.