Cannot get SMTP MTA to accept mail on port 587

Good day,

I have been fighting to get Sophos XG to accept incoming email in MTA mode for a few days now, and I'm not sure if I've somehow broken the config or if there's a bug?

My ISP seems to block port 25 everywhere, so my scenario for SMTP is:
 - Offsite hosted mail relay
 - Onsite mail server in DMZ zone
 - DMZ, WAN and LAN zones have "SMTP Relay" enabled
 - SMTP deployment mode: MTA
 - Smarthost configured to offsite relay
 - Relay settings
    + Upstream host - allow relay server only
    + Host based relay - allow internal mail server only
 - Offsite server set to deliver to 587 of WAN Port on XG

Where I'm stuck is:
 - exim is running on the XG, and is listening on port 587
 - Firewall rule set to accept all traffic from anywhere to WAN port 587 (top rule)
 - I cannot open a TCP connection to port 587 to XG from anywhere except localhost on XG
 - tcpdump port 587 shows incoming packets, no replies
 - Firewall log on XG has zero records for incoming requests to port 587!

I have tried:
 - removing all the auto generated rules (Firewall & NAT rules), and configuring by hand, with no success.
 - disabling SMTP/SMTPS scan on the firewall rule
 - disabling/re-enabling SMTP relay on WAN zone

If I switch the SMTP mode to Legacy, and NAT port 587 through to my internal server (not desired), that works.

Anyone able to point me in the right direction to get the XG to accept SMTPS (587) connections?


Edited TAGs
[edited by: emmosophos at 12:02 AM (GMT -7) on 10 Apr 2021]

Top Replies

  • Hi ,

    We've moved this thread to the XG Firewall group from the UTM Firewall Community group as it’s better suited here. 

    You could change the port from the console with the following command…