Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG86 (SFOS 17.5.9) email system notifications issue

Hi all,

Frustratingly, I've only been able to get my email notifications to work with my email hosting service on port 25, despite a host of other devices on my network successfully using SSL through port 587 (my preferred approach). This isn't the real thrust of my problem, as I'm happy to wait for SFOS 18 to go general release and see if that resolves it.

Still, as it was the catalyst to this problem of no emails getting out in any configuration thereafter, it seems that maybe my email host is providing a level of SSL protection that the XG has not yet caught up to, as noted from the smtpd_main.log file:

12143 == test@test.recipient.com R=router_for_notifications T=notification_smtp defer (-37) H=mail.smpt.server [xxx.xxx.xxx.xxx]:587: TLS session: (SSL_connect): error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol

So that's the preamble that led up to my next discovery. The real issue here is that I'm seeing a repeated issue with the XG trying to connect to an internal database that doesn't seem to exist and in order to be able to successfully send emails on port 25, I had to manually delete all the queued prior test message attempts from the "/sdisk/spool/output/input" (not a typo) folder first. Once I cleared out the queued attempts and then retried my unsecured port 25 configuration, the mail did go through but this lot of warnings about the internal database came up every time I tested (again, irrespective of successfully or not):

2019-12-29 03:43:44.683 [7899] SMTP connection from [127.0.0.1]:34344 I=[127.0.0.1]:24 (TCP/IP connection count = 1)
2019-12-29 03:43:44.686 [24198] [127.0.0.1] Connection accepted for notification
2019-12-29 03:43:44.690 [24198] [127.0.0.1] F=<redacted@redacted.address> R=<test@test.recipient.com> Accepted: SF notification
2019-12-29 03:43:44.742 [24198] 1ilFBo-0006II-MG <= redacted@redacted.address H=localhost (Sophos) [127.0.0.1]:34344 I=[127.0.0.1]:24 P=esmtp S=955 M8S=0 RT=0.041s T="Test Mail" from <redacted@redacted.address> for test@test.recipient.com
2019-12-29 03:43:44.743 [24198] SMTP connection from localhost (Sophos) [127.0.0.1]:34344 I=[127.0.0.1]:24 closed by QUIT
MSG Dec 29 03:43:44 [ T_SMTPD-M]: new mail queued, add to inqueue '1ilFBo-0006II-MG-D'
MSG Dec 29 03:43:45 [ T_SMTPD-W]: Mail assigned to 'MS-7894' for scanning '1ilFBo-0006II-MG-D'
MSG Dec 29 03:43:45 [ MS-7894]: scan request 1ilFBo-0006II-MG-D
MSG Dec 29 03:43:45 [ MS-7894]: S='redacted@redacted.address' R='test@test.recipient.com' Subject='Test Mail' Size='955' Status='Mail has been queued for delivery.' src_ip='127.0.0.1' src_port=34344
ERR Dec 29 03:43:45 [ MS-7894]: couldn't connect to db reason(could not connect to server: Connection refused
Is the server running on host "localhost" (127.0.0.1) and accepting
TCP/IP connections on port 5433?
)

What is going on here? What is this database that it's failing at connecting and how can I fix it? I have found nothing after searching for about an hour. Thanks in advance!



This thread was automatically locked due to age.
  • Hi  

    You have deleted a folder that is required for the Exim to load.  That is why you are getting database errors.  I suggest you factory reset to bring it back to normal.

    Also you mentioned XG86....this unit does not have MTA mode at all.

    You can try run below command on the XG to your sending mail server:

    openssl s_client -connect mail_server_hostname_or_ip_address:25 -starttls smtp -tls1_2

    Please then DM me the output.

    However we may be going down a rabbit hole as you have removed critical folder.

    KingChris
    Community Support | Sophos Support

    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • KingChris said:
    You have deleted a folder that is required for the Exim to load.  That is why you are getting database errors.  I suggest you factory reset to bring it back to normal.

    Actually, I did not delete any folders. What I did delete, however, were the piles of test messages that built up when it was still reporting that db error, so I ended up deleting just those messages in the input folder I had mentioned, not the folder itself. Considering it is working, albeit without any level of security enforced in the config, I'm not going to put it through a factory reset.

    Also you mentioned XG86....this unit does not have MTA mode at all.

    That's what I thought, given what I uncovered in a search where it mentioned the feature starts with XG105.

    You can try run below command on the XG to your sending mail server:

    openssl s_client -connect mail_server_hostname_or_ip_address:25 -starttls smtp -tls1_2

    Please then DM me the output.

    I compared its output to what I was seeing in the smtp_main.log file when I don't have any Connection Security enforced. What I found was that with the options/switches you specified, it happily initiates a TLS1.2 connection.

    SSL handshake has read 3611 bytes and written 451 bytes
    ---
    New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    SSL-Session:
    Protocol : TLSv1.2
    Cipher : ECDHE-RSA-AES256-GCM-SHA384

    It would seem that the smtp client is actually accepting a TLS1.2 connection so long as I don't attempt to enforce it with SSL/TLS. I can only enforce it with STARTTLS, which is something I didn't try before and your command line instruction prompted me to, so many thanks. You've solved that part of my problem and I feel like an idiot for not trying that in the first place!

    [15300] sfYxTC-cfOrc4-tn => [RECIPIENT EMAIL] F=<[REDACTED SENDING EMAIL]> P=<[REDACTED SENDING EMAIL]> R=router_for_notifications T=notification_smtp S=985 H=[REDACTED MAIL HOST] [REDACTED MAIL HOST IP]:587 I=[REDACTED SENDING IP]:40137 X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=yes DN="/OU=Domain Control Validated/CN=*[REDACTED DOMAIN]" A=server_plain C="250 OK id=1im5lT-0008G1-7m" QT=17s DT=3.229s

    However we may be going down a rabbit hole as you have removed critical folder.

    Not to be rude but I'm going to insist that if it is indeed a critical folder that has gone missing, it never happened by my hand. I can now confidently say that I am getting the XG86 to send my emails securely but the database error remains. However, by the same token, I am seeing that the messages are being moved to the /sdisk/spool/output/msglog.OLD/ folder upon a successful send. So to my mind, the smtp client is working as intended, despite the database error.

    It's not ideal and thankfully it's not a client's router, so I'm happy to leave it where it is since the critical parts of it are working. If the SFOS 18 upgrade fixes the database issue, then I'll consider it a bonus.