Options for replacing an XG SFOS 18.5.1 with something that can send email reliably?

Wondering, as i do not have this issue what so ever with my Firewall. But i am using Central and SFOS. 

If you have deadlock issues, this is caused by two factors. The Firewall tries to reach the WAN but cannot do it (SD-WAN PBR Issue). Or the firewall blocks itself by missing firewall rule (ANY - ANY - SMTP Rule). 

Essentially i always recommend to migrate to Central Email anyway. This solution is much more powerful than UTM or SFOS from a protection and feature set. 

What is Central Email, how does it fit into the network, how does the mail flow, why does it work and SFOS not work, why should I have confidence in anything since the &^$^#& I bought regularly dumps on me? And how much more money is Sophos asking for a solution that I shouldn't be needing?

You should discuss this with your Sales Rep to get a solution offer for Central Email. Its a own / new product, which interacts as a cloud based MTA. So Central will take your emails, scan them, check them and send them to your Email Server (On prem or cloud based). 

The solution is straight forward and used by thousand of customers. 

Nevertheless, if you have concerns about your cases and the feeling its not working as expected, i would recommend to talk to the Support about this or get a Sophos Partner involved to check the configuration. This sounds like a configuration issue or maybe a miss understanding in terms of how the firewall interact with the MTA.

Hello Mark,

Thank you for contacting the Sophos Community.

Sorry to hear you are having issues with the Sophos Firewall.

I checked some of your cases related to email, and they seem to be related to setup, "web mail, imap, pop3, Outlook https configuration"

Have you tried reaching or did you reach out to your Sales Engineer or Professional Services, to help you with your setup?

Regards,

Yeah, if only there was some documentation that actually had useful information in the context that I am looking for. I haven't been able to figure out the XG context.

We thought the setup issues were resolved and I moved on to set up site to site vpn's and that crashed the smtpd system. Apparently that piece of junk stores old config info that is unrelated to what is showing on the pretty web page and then your mail is all hung up. In reality, I think this may be at the root of the email problems I have been experiencing. When I think it is working and move on to finish the implementation of the XG, my email stops working again. The configuration is too brittle.

After another 5 hours with tech support (ticket 04523536) the email is flowing. A whole lot of hacking at the command level going on. I have absolutely ZERO confidence the mail system will move traffic through the night. Engineers are friendly and helpful, but I don't really want to be phone pals with them.

Sales Engineer? Sophos still has those? Mine disappeared last year and no one has reached out as a replacement. Given the rate I am burning up support time I would have thought someone would reach out but that would make too much sense. I've already concluded the best thing to do is show up early in the mornings and just go ahead and dial the Sophos support number and get in the queue. 

Professional Services? If you quote me a fixed price to set up email and fix it every time another config change blows it up I will consider it. It has been suggested I should work with one of my VAR's. Why would I pay them hourly to sit on the phone with Sophos looking for the same answers?

I'm not launching rockets here. My network and configuration are not complicated I've had Sophos tech support all over this firewall and the config. We have deleted everything and started over twice. But inevitably at some point everything goes off the rails.

Additional info;

Two fiber WAN connections, two internal mail servers, one internal web server, 30 internal network computers/clients. Nothing weird or exotic

Likely caused by the WAN Connections. Whats your SD-WAN PBR precedence and the rule for SMTP? Can you show them to us? 

What is an SD-WAN PBR and where do I find that *#$@.

What SMTP rule are you interested in? The MTA firewall rule that was autocreated with its linked nat rule, or the rule that Sophos created and turns on and off depending on whether they think that will help when they restart the smtpd service?

This may all be a moot point since I am back to a situation where this junk wont connect any site to site vpn I attempt. And why do the published instructions for setting up VPNs all specify using old, outdated, insecure protocols? Is that a hidden message I am missing? Sorry, I just really need something to work, anything to work, for more than 24 hours.

Hello Mark,

Thank you for the Feedback and the Case ID.

I have reached out to our Escalation Manager and your Account Manager, to discuss the options you have for Sales Engineer and Professional Services, so they can assist you with your setup and migration from UTM to XG. Most likely you’ll be hearing from them in the next 24 hours. 

Regards,

OK, you may have hit on the issue. I am dual wan connections, but I don't require both. It is a transitory period until I can get out to the remote vpn sites and adjust them to the new provider. Since I cant get any vpn's to reconnect to the XG on the old provider address I might as well cut it loose now and start the process of correcting the vpn configs at the remote end. The absolute last thing I want to add to the mix now is more configuration issues to support a dual wan config I don't really need.