Outbound SMTP for Scan to email not working

We have setup an XG 135 running v18 MR4. Default out of the box our Canon Copier with scan to email is blocked. This was working on the firewall we pulled out, so we know the scan to email settings are working. We are scanning to port 2525 using smtp2go.

I have searched far and wide on how to allow outbound SMTP. Either it is for an earlier version (v17 or earlier) and does not directly translate.

I have tried both MTA and Legacy mode

I have created a service group for ports 2525, 465, 587 and created a firewall rule for Traffic to WAN.

I have watched the logs and not seen anything of value to help me troubleshoot.

Does anyone have instructions on how to allow a single IP to send outbound email over port 2525?

Thanks



Edited TAGs
[edited by: emmosophos at 10:57 PM (GMT -7) on 16 Apr 2021]
Parents
  • Hello Jeremy,

    Thank you for contacting the Sophos Community.

    If you run a drop-packet-capture on the XG for port 2525 what do you see?

    console> drop-packet-capture 'port 2525'

    Regards,


     
    Emmanuel (EmmoSophos)
    Community Support Engineer | Sophos Technical Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Here is the output:

     

    console> drop-packet-capture 'port 2525'                                        
    2021-04-16 19:22:02 0102021 IP 173.255.233.87.2525 > 96.36.225.244.2926 : proto 
    TCP: R 975563789:975563789(0) checksum : 39666                                  
    0x0000:  4500 0028 0000 4000 3206 6f60 adff e957  E..(..@.2.o`...W              
    0x0010:  6024 e1f4 09dd 0b6e 3a25 ec0d 0000 0000  `$.....n:%......              
    0x0020:  5004 0000 9af2 0000                      P.......                      
    Date=2021-04-16 Time=19:22:02 log_id=0102021 log_type=Firewall log_component=Inv
    alid_Traffic log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A i
    n_dev=Port2 out_dev= inzone_id=0 outzone_id=0 source_mac=1c:ab:c0:08:34:c2 dest_
    mac=7c:5a:1c:84:ce:90 bridge_name= l3_protocol=IPv4 source_ip=173.255.233.87 des
    t_ip=96.36.225.244 l4_protocol=TCP source_port=2525 dest_port=2926 fw_rule_id=N/
    A policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_
    id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_f
    ilter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 
    dn_classid=0 nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 gateway_offset=0 conni
    d=0 masterid=0 status=0 state=0, flag0=0 flags1=0 pbdid_dir0=0 pbrid_dir1=0     
                                                                                    
    2021-04-16 19:22:02 0102021 IP 173.255.233.87.2525 > 96.36.225.244.2926 : proto 
    TCP: R 975563859:975563859(0) checksum : 39596                                  
    0x0000:  4500 0028 0000 4000 3206 6f60 adff e957  E..(..@.2.o`...W              
    0x0010:  6024 e1f4 09dd 0b6e 3a25 ec53 0000 0000  `$.....n:%.S....              
    0x0020:  5004 0000 9aac 0000                      P.......                      
    Date=2021-04-16 Time=19:22:02 log_id=0102021 log_type=Firewall log_component=Inv
    alid_Traffic log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A i
    n_dev=Port2 out_dev= inzone_id=0 outzone_id=0 source_mac=1c:ab:c0:08:34:c2 dest_
    mac=7c:5a:1c:84:ce:90 bridge_name= l3_protocol=IPv4 source_ip=173.255.233.87 des
    t_ip=96.36.225.244 l4_protocol=TCP source_port=2525 dest_port=2926 fw_rule_id=N/
    A policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_
    id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_f
    ilter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 
    dn_classid=0 nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 gateway_offset=0 conni
    d=0 masterid=0 status=0 state=0, flag0=0 flags1=0 pbdid_dir0=0 pbrid_dir1=0     
                                                                                    
    2021-04-16 19:22:02 0102021 IP 173.255.233.87.2525 > 96.36.225.244.2926 : proto 
    TCP: R 975563890:975563890(0) checksum : 39565                                  
    0x0000:  4500 0028 0000 4000 3206 6f60 adff e957  E..(..@.2.o`...W              
    0x0010:  6024 e1f4 09dd 0b6e 3a25 ec72 0000 0000  `$.....n:%.r....              
    0x0020:  5004 0000 9a8d 0000                      P.......                      
    Date=2021-04-16 Time=19:22:02 log_id=0102021 log_type=Firewall log_component=Inv
    alid_Traffic log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A i
    n_dev=Port2 out_dev= inzone_id=0 outzone_id=0 source_mac=1c:ab:c0:08:34:c2 dest_
    mac=7c:5a:1c:84:ce:90 bridge_name= l3_protocol=IPv4 source_ip=173.255.233.87 des
    t_ip=96.36.225.244 l4_protocol=TCP source_port=2525 dest_port=2926 fw_rule_id=N/
    A policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_
    id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_f
    ilter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 
    dn_classid=0 nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 gateway_offset=0 conni
    d=0 masterid=0 status=0 state=0, flag0=0 flags1=0 pbdid_dir0=0 pbrid_dir1=0
  • Hi,

    2525 is not part of the smtp proxy ports. You would need to set a specific rule to allow that port using the http proxy and add that port to the proxy list if you want it scanned.

    Ian

     
    V18.0.x - e3-1225v5 6gb ram with 4 ports - 20w. 
    3 AP55s and 2 APX120s having a holiday until software update is released.
    If a post solves your question use the 'This helped me' link.
  • When you say rule, are you meaning a firewall rule?

    I have created a Traffic to WAN rule with Copier IP address and a service group that has ports 2525, 465 and 587 in it.

    this current rule above is ANY and not just the copier IP

  • Hi,

    now in that rule tick the web box and allow all with the tick use http. Then try to see if access is allowed.

    ian

     
    V18.0.x - e3-1225v5 6gb ram with 4 ports - 20w. 
    3 AP55s and 2 APX120s having a holiday until software update is released.
    If a post solves your question use the 'This helped me' link.
  • Do you mean this?

    It was None and I changed it to Allow All. Tried to scan to email and same result.

  • You need to tick the use web proxy and if feeling a bit adventurous scan http and decrypted https ( at this stage your are not decrypting https).

    Ian

     
    V18.0.x - e3-1225v5 6gb ram with 4 ports - 20w. 
    3 AP55s and 2 APX120s having a holiday until software update is released.
    If a post solves your question use the 'This helped me' link.
  • No joy on this either

    I did try the other setting and same result.

  • Hi,

    I don't see any reference to port 2525 in your firewall rule?

    Ian

    Please remove your linked NAT rule.

     
    V18.0.x - e3-1225v5 6gb ram with 4 ports - 20w. 
    3 AP55s and 2 APX120s having a holiday until software update is released.
    If a post solves your question use the 'This helped me' link.
  • I removed the linked NAT rule. Now the copier will sit and think a while when I scan before erroring (before it would immediately error). 

    As far as port 2525 in the rule, I have the Destination Services with my service group "SMTP Ports" which has 465, 587 and 2525. Should I be doing it another way?

  • Hi,

    the port definition looks fine. Did you tick the http proxy box, because what you are describing sounds like a DPI issue?

    Now when you review the logviewer for that firewall rue what errors do you see.

    Ian

     
    V18.0.x - e3-1225v5 6gb ram with 4 ports - 20w. 
    3 AP55s and 2 APX120s having a holiday until software update is released.
    If a post solves your question use the 'This helped me' link.
  • After still having issues, I reset the firewall to factory settings. It worked like a charm.

    Thanks for all the help;

Reply Children
No Data