Email forwarding : 550 5.7.1 Command rejected

Hi, we have a problem with forwarding emails. Exchange 2013 on Prem. Using Email Security on Sophos Central. 

This seems to have come up on here before, but I cant find a solution.  Any help appreciated.

Thanks

Trev

I use exchange to forward emails on for a user to an external account at user2@domain2.com

I can email the external account from our domain user1@domain1.com and they can email in.

If I email User1@domain1.com from any other exernal account, say user3@domain3.com I get the following error:

Subject: Delivery Failure Notification

 Sophos XG Firewall was unable to send the following mail:

 ----------------------

From: User1@domain1.com
MessageID: <LNXP265MB250800947BB98F138EDDAD85B6E69@LNXP265MB2508.GBRP265.PROD.OUTLOOK.COM>

Sent on: 2022-04-07 12:39:27

 Mail delivery to following recipients failed:

 user2@domain2.com - 550 5.7.1 Command rejected

 

Resent-From: <User1@domain1.com>

Received: from ExchangeServer (10.10.) by  exchangeserver (10.10.) with Microsoft SMTP Server (TLS)  id 15.0.847.32; Thu, 7 Apr 2022 12:42:47 +0100

Received: from inbound-18-216-7-10-us-east-2.prod.hydra.sophos.com

(18.216.7.10) by Exchange.domain1 (10.10. with Microsoft  SMTP Server id 15.0.847.32 via Frontend Transport; Thu, 7 Apr 2022 12:42:28

+0100

Received: from ip-172-21-100-31.us-east-2.compute.internal

(ip-172-21-100-31.us-east-2.compute.internal [127.0.0.1])      by

inbound-18-216-7-10-us-east-2.prod.hydra.sophos.com (Postfix) with ESMTP id

4KZ00l6CnfzPjdl        for <User1@domain1.com>; Thu,  7 Apr 2022 11:44:39

+0000 (UTC)

Authentication-Results: mx-01-us-east-2.prod.hydra.sophos.com;

spf=pass smtp.mailfrom=user3@domain3.com;

dkim=pass header.d=domain3 header.from=domain3;  dmarc=pass (recordpolicy=quarantine) header.from=domain3

Received-SPF: pass receiver=mx-01-us-east-2.prod.hydra.sophos.com;

client-ip=40.107.10.84; envelope-from=< user3@domain3.com >;

helo=GBR01-LO2-obe.outbound.protection.outlook.com;

X-Sophos-Product-Type: Gateway

X-Sophos-Email-ID: c65874521353416d8dbc3e35fd16a1a1

Received: from GBR01-LO2-obe.outbound.protection.outlook.com

(mail-lo2gbr01on2084.outbound.protection.outlook.com [40.107.10.84]) (using

TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client  certificate requested) by mx-01-us-east-2.prod.hydra.sophos.com (Postfix)  with ESMTPS id 4KZ00c6Rhsz9rwG for <user1@domain1.com>; Thu,  7

  • This happens because the forwarded email contains the original sender's HEADER FROM which will be domain3.com.

    Since Sophos Central Email is a SaaS solution and it is shared by many tenants, it needs to have a way to determine which emails are for your organization. The way it does this is by using the HEADER FROM email address. If the domain here is not one of your configured domains AND the email address is not a MAILBOX on your Central account, you will get a reject message.

    You should look into other options such as bypassing Central Email for auto forwarded emails or doing some HEADER FROM rewriting.

  • Thank you for the answer, at least I know what is going on with this. Really appreciate it.

    Would you have any information on either of these options at all or is that a post for another topic area?