There is a document (Pocket Guide) "Protect Cloud-hosted Email Server (MTA Mode)" Sophos Document, which I studied but I have a few understanding problems. I think it isn’t only the difference between V17 and V18 of SFOS from the XG Firewall.
I have a collection of different domains from the past. These are personal and business ones. To collect them on one place I made “privat.local” mail server, which is also my domain within the LAN area.
My mails from the provider 1 are only on the servers of this provider with a lot of SPAM.
I want to transfer all incoming mails over my firewall before they arrive the mail server of provider 1.
Short network plan:
Net Base Mail Situation.pdf
The first step is already done, with the change of the MX Record. I have to records with different priorities. The highest is the WAN address on my firewall.
In the pocket guide as shown above are 6 steps to do this for cloud-hosted Email servers. I think this is the same for a normal email provider.
Step1: Switch to MTA Mode -> Is standard on my FW
Auto added firewall for SMTP/SMTPS is active
Step2: Enable SMTP Relay from WAN -> was ON and no mails gone through to my mail provider, switched it back.
Step3: Configure SMTP TLS Certificate -> seems to have a understanding problem I download the PEM and KEY Data from my provider for the mail.privat.com. It’s with “Lets Encrypt” as authority signed. By this certificate I have a red x by the Authority. I would interpret that the Certificate authority is missing.
I found one with the filter “let” but it’s called different.
I have on my provider side 3 typs of certificate. The CRT (PEM), the KEY and CABUNDLE. IS THAT CORRECT THAT I HAVE TO ADD THE “CABUNDLE” TO THE “CERTIFICATE AUTHORITY”?
Step4: Configure Global Email Settings -> I have here just added my SMTP hostname the rest is standard Sophos.
SMTP TLS configuration should be clear. I used my own provider hostname certificate.
Step5: Scan and Filter Inbound Emails -> By the SMTP Policy I used my personal domain (private.com) located by my provider. I have also a business domain (business.com). By the General settings of the email is only 1 SMTP Hostname possible. I have at least 2. Is it possible to add the second and more to the protected domain list, if I route with MX RECORD? The Spam and Malware protection not relevant at the moment.
Step6: Scan and Filter Outbound Emails -> This point I don’t understand. I have already an external mail server and the connection to this server with outlook works already without setting of these parameters. It could also be that this is just for an cloud-based mail server, or is there a misunderstanding from my side?
Thank you for contacting Sophos Support.
Step 1 MTA should be the default, which also created the default MTA firewall rule.
Step 2 You would need to enable SMTP on WAN if you want the…
Step 2 You would need to enable SMTP on WAN if you want the XG to be able to accept and relay email
Step 3 If you hover the X it should tell you which CA is missing. Also, try adding the Bundle if the CA is already in the XG.
Step 4 Looks good for me
Step 5 Yes you can add more domains to the Protected domain lists
Step 6 This setting is for outbound email, usually, you would add here your internal Email Server (Exchange) so the XG knows that this host is authorized to relay email outbound (Don't set ANY as this would cause your XG to be an Open Relay to anybody)
Step 3 is now solved. I added the CA-Bundle as PEM to CE as Letsdecrypt and now i got the green OK sign.
So far is everything ok.
I set the SMTP Relay on "Device access" for the WAN port and for my privat.com mail account the mails will get queued and visibile on "Mail spool".
There is the message with the status "Queued" and after a time I get the status "Failed". That means the mail will not send to my mail account at privat.com.
Just to clarify:
At -PROTECT/Email/General settings- SMTP settings is my personal mail account as SMTP hostname set
and SMTP TLS configuration the TLS certificate is set to my personal domain certificate "aaaPRIVAT". At POP and IMAP TLS configuration is just "SecurityApp..." selectable.
My SMTP policy looks as described on my first post. I just added on "Protected domain *" an Address group with the domains privat.com and business.com and activated "Spam protection" and "Malware protection". I think the protection work, because one mail was already marked with the prefix "[SPAM]".
From my point of view, everthing should be ok. The only part which isn't really clear is the "Relay settings".
Are the Relay settings just for *.local (LAN Area) relays or also for WAN -> XG Email -> WAN transactions?
On the automatic set FW Rule for SMTP/SMTPS is a NAT rule placed with SNAT on MASQ the rest is blocke to change.
Thank you for the follow-up.
Basically that option is for Hosts and Network that can use the XG as a mail relay.
In other words who can connect to the XG and send emails through MTA mode.
For example at home, I have my Exchange Server 10.10.10.100, so this is the IP I use there.
People who use O365, for example, would need to put the IPs of O365 so o365 can relay email trough the XG, so email flow for outbound would go:
O365 >> XG >> outbound domain.
For the issue with the email "Queued" and after a time I get the status "Failed", please provide the output of the /log/smtpd_main.log
The smtpd_main.log shows following message, which is always the same for every mail address on privat.com.
1439 Considering: email@example.com 1439 unique = firstname.lastname@example.org 1439 LOG: retry_defer MAIN 1439 == email@example.com routing defer (-51): retry time not reached 2020-09-03 20:35:11.350  B3JNRW-Zgelol-3G == firstname.lastname@example.org routing defer (-51): retry time not reached 1439 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 1439 After routing: 1439 Local deliveries: 1439 Remote deliveries: 1439 Failed addresses: 1439 Deferred addresses: 1439 email@example.com 1440 LOG: skip_delivery MAIN 1440 Message is frozen 10546 1 queue-runner process running 1511 LOG: skip_delivery MAIN 1511 Message is frozen 1512 LOG: skip_delivery MAIN 1512 Message is frozen 1513 LOG: skip_delivery MAIN 1513 Message is frozen 1514 LOG: skip_delivery MAIN 1514 Message is frozen 1515 LOG: skip_delivery MAIN 1515 Message is frozen 1516 LOG: skip_delivery MAIN 1516 Message is frozen 1517 LOG: skip_delivery MAIN 1517 Message is frozen 1518 locking /sdisk/spool/output//db/retry.lockfile 1518 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> XG135_XN03_SFOS 18.0.1 MR-1-Build396#
Thank you for the follow-up!
If you go to:
You would see somefiles in there, those are the locked files.
By running the commands below you should be able to remove the lockfiles
rm -f retry.lockfile
rm -f wait-remote_smtp.lockfile
rm -f wait-static_smtp.lockfile
Then you need to restart the SMTPd services
service smtpd:restart -ds nosync
Just to clarify, privat.com domain email is behind the XG, correct?
I am just do the removal of two files
retry and retry.lockfile
privat.com is by my provider in the internet (WAN).
I have just the mail clients in the LAN area and an internal mail server, which i use just to fetch specific mails and i call him mail.privat.local and this is also my AD domain.
Sorry, i just deleted the retry.lockfile not both files.
After the restart command I made on the mail spool a retry for 2 mails and they are still in the spooler and i have again a retry.lockfile in the db folder.
XG135_XN03_SFOS 18.0.1 MR-1-Build396# cd /var/spool/output/db XG135_XN03_SFOS 18.0.1 MR-1-Build396# ls -lh -rw-r--r-- 1 root 0 12.0K Sep 3 16:44 retry -rw-r--r-- 1 root 0 0 Sep 3 00:03 retry.lockfile XG135_XN03_SFOS 18.0.1 MR-1-Build396# rm -f retry.lockfile XG135_XN03_SFOS 18.0.1 MR-1-Build396# ls -lh -rw-r--r-- 1 root 0 12.0K Sep 3 16:44 retry XG135_XN03_SFOS 18.0.1 MR-1-Build396# service smtpd:restart -ds nosync 200 OK XG135_XN03_SFOS 18.0.1 MR-1-Build396# ls -lh -rw-r--r-- 1 root 0 12.0K Sep 3 16:44 retry -rw-r--r-- 1 root 0 0 Sep 3 21:40 retry.lockfile XG135_XN03_SFOS 18.0.1 MR-1-Build396#
Why is the sending from the mail spooler locked?
Could it be that i use in the SMTP policy for route by "MX" instead "DNS host" or "Static host"
My MX Record for privat.com has two lines
Line1 is to route to the XG Firewall WAN IP with Priority 1 --> This part works
Line2 is to route to my hosted mail server IP with Priority 2 --> This worked before i changed the Device access with "SMTP Relay"
Could it be that by using MX mail will routed to the XG Firewall again, due to the priority settings?
I changed the settings in the SMTP/SMTPS Policy.
"Route by" is now
"DNS host" with "DNS hostname" mail.privat.com
Now it works :)
Thank you for the follow-up and for sharing what finally solved the issue.