I have been fighting to get Sophos XG to accept incoming email in MTA mode for a few days now, and I'm not sure if I've somehow broken the config or if there's a bug?My ISP seems to block port 25 everywhere, so my scenario for SMTP is: - Offsite hosted mail relay - Onsite mail server in DMZ zone - DMZ, WAN and LAN zones have "SMTP Relay" enabled - SMTP deployment mode: MTA - Smarthost configured to offsite relay - Relay settings + Upstream host - allow relay server only + Host based relay - allow internal mail server only - Offsite server set to deliver to 587 of WAN Port on XG
Where I'm stuck is: - exim is running on the XG, and is listening on port 587 - Firewall rule set to accept all traffic from anywhere to WAN port 587 (top rule) - I cannot open a TCP connection to port 587 to XG from anywhere except localhost on XG - tcpdump port 587 shows incoming packets, no replies - Firewall log on XG has zero records for incoming requests to port 587!
I have tried: - removing all the auto generated rules (Firewall & NAT rules), and configuring by hand, with no success. - disabling SMTP/SMTPS scan on the firewall rule - disabling/re-enabling SMTP relay on WAN zoneIf I switch the SMTP mode to Legacy, and NAT port 587 through to my internal server (not desired), that works.
Anyone able to point me in the right direction to get the XG to accept SMTPS (587) connections?
We've moved this thread to the XG Firewall group from the UTM Firewall Community group as it’s better suited here.
You could change the port from the console with the following command…
You could change the port from the console with the following command:
Let us know how it turns out for you once you change the port.
Community Support Engineer | Sophos Technical SupportSupport Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts If a post solves your question use the 'Verify Answer' button.
Found this article:https://support.sophos.com/support/s/article/KB-000035698?language=en_USI see your command says "SMTP", but the article says "SMTPS". Which one is it? Or doesn't it matter?I've already got this (below), but I still cannot access port 587.
It depends on the downstream server if it supports the TLS connection or not; based on that, you could add SMTP/SMTPS ports.
However, this default port is already supported with the MTA configuration, and you wouldn't need to use that command.
When you try to connect to the XG firewall on port 587, run a packet capture from the GUI and post the screenshot:
I'd suggest you check out the following document to ensure the configuration is correct: Configure email protection in MTA mode.
This what the packet capture shows:
And yes, SMTP relay is enabled for the Zones currently in use:
Could you please check the Email Protection license at Administration > Licensing > Module subscription details?
Is smtpd service running on your firewall? Run the following command from the Advanced Shell to check:
I can connect to the service if I telnet to 587 when in the Advanced Shell:
Edit: The hostname and IP that is redacted are assigned to WAN.
Solved by changing SMTPS to SMTP. I mean, really, this made no sense to me as a change. Can someone please explain why "set service-param SMTPS add port 587" doesn't work, but "set service-param SMTP add port 587" does?