This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

TLS Authentication (DomainValidation) - Exchange Hybrid - OnPremise server can´t send to Online - SubjectMismatch for Send connector

Hi,

i need to setup a Hybrid Szenario with Exchange 2019 OnPremise and Exchange Online.
I run the HCW and the setup is fine. 

I can send mails from external domains to Exchange Online and from Exchange Online to Exchange OnPremise clients.

But i can´t send mails from Exchange onPremise through a smarthost.

The smarthost [192.168.0.254] is a XGS2100 with 18.5.2.

Exchange OnPremise Eventlogs shows

Outbound TLS authentication failed with error SubjectMismatch for Send connector Outbound to Office 365 - 3j5k6j3k-53e4-45b4-8187-482ad2d5bcc3.
The TLS authentication mechanism is DomainValidation. Target is [192.168.0.254].

If i disable TLS in XG 18.5.2 i get this error

Send connector Outbound to Office 365 - 3j5k6j3k-53e4-45b4-8187-482ad2d5bcc3 couldn't connect to remote domain [192.168.0.254].
The send connector requires Transport Layer Security (TLS) authentication, but is unable to establish TLS with the receiving server for the remote domain.
Check this connector's authentication setting and the EHLO response from the remote server mail.domain.de.

What setting do i need in XG ?

Has anyone used Sophos XG with a Hybrid Exchange Setup?

Thanks

Jürgen



This thread was automatically locked due to age.
  • Why do you want to scan the Emails between both appliances? Shouldnt the Exchange On Premise sync there Email databases with own systems by Microsoft and not SMTP? 

    __________________________________________________________________________________________________________________

  • Microsoft creates two connectors at each site (Exchange OnPremise - send/receive) and  (Exchange Online - send/receive).

    OnPremise has a send connector with TLS/Domain Validation and needs to send from OnPremise through smarthost ..
    And here i get this errors.

  • I cannot help on this one. Sounds like a Microsoft Problem. 

    __________________________________________________________________________________________________________________

  • maybe, i talked to microsoft and tried different setups.

    If i switch the Exchange Server Gateway IP (Sophops XG) to a leased line without a firewall, all is fine and Exchange can send SMTP with Mutual TLS to Exchange Online.

    So i need to have a transparent Connection from Exchange OnPremise to internet through Sophos XG.
    I can´t have the MTA interfere in any way with mail transport.

    Is there any way to bypass the MTA for Exchange OnPremise Server and outgoing mails?

  • There should not be a SMTP scanning FIrewall Rule for Port 25. This activate the MTA. 

    __________________________________________________________________________________________________________________

  • We use MTA at XG 18.5.2 for the last years and all incoming mails go through MTA and are delivered to exchange.


    So, yes there is a FW Rule (first in list)

    Outgoing Mail -> LAN-ANY to WAN-ANY for SMTP

    and a NAT Rule

    Any-Any to Any-Any for SMTP,SMTPS,SMTP_465 out on Port2 (MASQ)

    And the relay settings allow the internal Exchange Servers 

    Woud it help to define a different FW Rule for outgoing mails and exclude the Exchange Servet that needs to send Mutal TLS (bypass mta)?

  • I just removed this feature ...

    And the first mails are passing Sohos XG.

    So maybe if i modify this rules and add a second rule so that all mails to mail.protection.outlook.com are not scanned it would be fine...