We host web and email services on a VPS for our clients in the UK.
We have recently discovered an issue with sending emails from our server to anyone whose email is on hydra.sophos.com.
Such emails are blocked with a “connection refused” message. Here’s an example:
LOG: MAIN cwd=/usr/local/cpanel/whostmgr/docroot 4 args: /usr/sbin/exim -v -M 1olqdj-0005dp-Fi delivering 1olqdj-0005dp-Fi LOG: MAIN Sender identification U=exampleuser D=example.com S=user@example.com Connecting to mx-01-eu-west-1.prod.hydra.sophos.com [54.154.243.143]:25 ... failed: Connection refused LOG: MAIN H=mx-01-eu-west-1.prod.hydra.sophos.com [54.154.243.143] Connection refused Connecting to mx-01-eu-west-1.prod.hydra.sophos.com [52.19.208.181]:25 ... failed: Connection refused LOG: MAIN H=mx-01-eu-west-1.prod.hydra.sophos.com [52.19.208.181] Connection refused Connecting to mx-01-eu-west-1.prod.hydra.sophos.com [52.210.37.46]:25 ... failed: Connection refused LOG: MAIN H=mx-01-eu-west-1.prod.hydra.sophos.com [52.210.37.46] Connection refused LOG: MAIN == person@recipientdomain.com <person@recipientdomain.com> R=dkim_lookuphost T=dkim_remote_smtp defer (111): Connection refused LOG: MAIN cwd=/var/spool/exim 8 args: /usr/sbin/exim -v -t -oem -oi -f <> -E1olqdj-0005dp-Fi LOG: MAIN
We have checked our IP with the SophosLabs IP Address Classification Lookup tool at https://www.sophos.com/en-us/threat-center/ip-lookup which shows that our IP address:
"is not currently classified by SophosLabs as a potential spam source. If you received a reject message with a link to this page, your IP address may have subsequently been removed from our list."
However, despite this, it still appears that our IP is being blocked by Sophos somewhere.
We know of no reason why this should be: we have a good reputation, we are not on any blocklists (as confirmed by MXToolbox and VirusTotal) and we are not having any issues with any other email hosts.
How do we get our IP address removed from any blocklists used by Sophos?
Do you have a support ticket open that you can share the ticket number?
I don't I'm afraid. I'm not actually a Sophos customer, just someone trying to get my own customer emails accepted by Sophos systems.
When I submitted a Sophos Support Portal registration request (Request 05827708), it was rejected.
Send me the IP address, from domain and recipient domain information so I can see in our logs what is happening. tom[.]foucha+ipblock@sophos[.]com, i have some time today to look into this for you.
Thanks Tom. Email sent.
got it, looking into it. Standby
Resolved, Tim made some adjustments on his firewall
Yes. It appears we were blocking a range of IP addresses that included hydra.sophos.com mail servers.
Thanks for your help Tom.