Sophos Smarthost - Outgoing Interface + NAT

Hello,

an XG uses a smarthost in the upstream to send and receive mails towards the internet.
My problem is that the XG sends outgoing mails already on the right interface, but here is a transfer network towards the smart host, which is private and not public, the upstream smart host knows no route to the IP that the Sophos uses.
I have already tried everything with NAT, but nothing seems to work here.

Help :)



Added TAGs
[edited by: emmosophos at 6:43 PM (GMT -7) on 18 Jul 2022]

Top Replies

Parents
  • Hello ,

    Thank you for reaching to community, So if I understood it correct you have an on premise smarthost which you want to utilize under email > general settings > Smarthost settings. If that is a case you can create a DNAT for that on premise server: https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/RulesAndPolicies/NATRules/RulesPoliciesCreateDNATAndFirewallRulesForInternalServers/index.html

    Thanks & Regards,

    Vivek Jagad | Technical Account Manager 3 | Cyber Security Evolved


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • Hi, 
    this also works to run Sophos itself (the MTA service) over the NAT?

  • Unfortunately does not work. The problem may also be that this NAT should be on an interface IP of the Sophos that is on LAN1, but the route would go via LAN4.

    There is still a CLI command that is needed for NAT in conjunction with IPSec. Could there still be a possibility here?

    Do you want me to draw it?

  • Yea topology will be better to narrow down. Do you have Aliases on LAN1 ? if not have you created any ?

    Thanks & Regards,

    Vivek Jagad | Technical Account Manager 3 | Cyber Security Evolved


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • Thats the situation, the Exchange sends the Mails to the Sophos, and than the Sophos should send it to the smarthost, out on P4.
    BUT the Mail-Service inside the Sophos must use an source IP-Address of the LAN (actual it uses the configured alias) to communicate with the Smarthost, because the transfer-network is local-only and not routed by the provider.
    Incoming mails from the smart host are working as expected.

  • Hello ,

    In this scenario instead of MASQ with the interface in the NAT rule under "Translated source (SNAT)"  leave that original and select the outbound interface and mark it with that particular desired interface.

    Thanks & Regards,

    Vivek Jagad | Technical Account Manager 3 | Cyber Security Evolved


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • Tried this and also this: https://support.sophos.com/support/s/article/KB-000035607?language=en_US

    But both don't seem to work. I'll capture some traffic to see whats going on

  • Sure tcpdump, packetcapture can help understand !! 

    Thanks & Regards,

    Vivek Jagad | Technical Account Manager 3 | Cyber Security Evolved


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • So, the connection is okay now, but it seems there is another issue with mail-protection itself, according due to the mail delivery to the upstream smarthost.

    In the General config tab I disabled nearly anything that would scan or block something. In the log file I just can't find the error why the mail is still bounced now.

    Trying to send via Outlook from  Test.User@internal-test-domain.com TO test@sophos123.com (does not exist)

    2022-07-22 11:28:38.735 [5001] SMTP connection from [172.30.104.10]:37190 I=[172.30.104.1]:25 (TCP/IP connection count = 1)
    2022-07-22 11:28:38.770 [13567] [172.30.104.10] F=<Test.User@internal-test-domain.com> R=<test@sophos123.com> Accepted from relay list
    2022-07-22 11:28:38.775 [13567] 1oEoxa-0003Wp-Or <= Test.User@internal-test-domain.com H=(DE43940XX00001.reimers.zeuscloud.de) [172.30.104.10]:37190 I=[172.30.104.1]:25 P=esmtps L. X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no S=3414 M8S=0 RT=0.002s id=41bab319d48148699774b976b345b448@internal-test-domain.com T="test" from <Test.User@internal-test-domain.com> for test@sophos123.com
    MSG   Jul 22 11:28:38 [ T_SMTPD-M]: new mail queued, add to inqueue '1oEoxa-0003Wp-Or-D'
    2022-07-22 11:28:38.776 [13567] SMTP connection from (DE43940XX00001.reimers.zeuscloud.de) [172.30.104.10]:37190 I=[172.30.104.1]:25 closed by QUIT
    MSG   Jul 22 11:28:39 [ T_SMTPD-W]: Mail assigned to 'MS-4990' for scanning '1oEoxa-0003Wp-Or-D'
    MSG   Jul 22 11:28:39 [   MS-4990]: scan request 1oEoxa-0003Wp-Or-D
    MSG   Jul 22 11:28:39 [   MS-4990]: S='Test.User@internal-test-domain.com' R='test@sophos123.com' Subject='test' Size='3414' Status='Mail has been queued for delivery.' src_ip='172.30.104.10' src_port=37190 user_id=0 user_grp_id=0 fw_id=0 src_zone_id=3
    MSG   Jul 22 11:28:39 [1oEoxa-0003Wp-Or]: [0x8b6ff600] FROM: Test.User@internal-test-domain.com , TO: test@sophos123.com
    MSG   Jul 22 11:28:39 [1oEoxa-0003Wp-Or]: move '8cFC4L-hj6O7d-wh' to forwarder queue
    MSG   Jul 22 11:28:39 [1oEoxa-0003Wp-Or]: 8cFC4L-hj6O7d-wh <= Test.User@internal-test-domain.com R=1oEoxa-0003Wp-Or
    MSG   Jul 22 11:28:39 [   MS-4990]: processing for 1oEoxa-0003Wp-Or completed
    MSG   Jul 22 11:28:39 [ T_SMTPD-W]: [SMTPD] read returned 8 bytes
    MSG   Jul 22 11:28:39 [ T_SMTPD-W]: [SMTPD] mail '1oEoxa-0003Wp-Or-D' processed sucessfully
    MSG   Jul 22 11:28:39 [ T_SMTPD-W]: [SMTPD] smtpd read blocked
     5000 1 queue-runner process running
    13586 queue-runner forking for qrun-delivery
    13586 queue-runner forked for qrun-delivery: 13587
    13587 postfork: qrun-delivery
    13587 locking /sdisk/spool/output//db/retry.lockfile
    13587 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
    13587 Considering: test@sophos123.com
    13587 unique = test@sophos123.com
    13587 test@sophos123.com: queued for routing
    13587 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
    13587 routing test@sophos123.com
    13587 --------> router_for_notifications router <--------
    13587 local_part=test domain=sophos123.com
    13587 checking "condition" "${if and{{bool_lax{0}}{bool_lax{${if eq{$acl_c1}{1}{1}{0}}}}}}"...
    13587 router_for_notifications router skipped: condition failure
    13587 --------> batv_redirect router <--------
    13587 local_part=test domain=sophos123.com
    13587 checking domains
    13587 batv_redirect router skipped: domains mismatch
    13587 --------> static_route_hostlist_for_email router <--------
    13587 local_part=test domain=sophos123.com
    13587 checking "condition" "${if match_address{$local_part@$domain}{+hostlist_route_emails}{1}{0}}"...
    13587 static_route_hostlist_for_email router skipped: condition failure
    13587 --------> static_route_hostlist router <--------
    13587 local_part=test domain=sophos123.com
    13587 checking domains
    13587 static_route_hostlist router skipped: domains mismatch
    13587 --------> static_route_bymx_for_email router <--------
    13587 local_part=test domain=sophos123.com
    13587 checking "condition" "${if match_address{$local_part@$domain}{+mx_route_emails}{1}{0}}"...
    13587 static_route_bymx_for_email router skipped: condition failure
    13587 --------> static_route_bymx router <--------
    13587 local_part=test domain=sophos123.com
    13587 checking domains
    13587 static_route_bymx router skipped: domains mismatch
    13587 --------> static_route_bydns_for_email router <--------
    13587 local_part=test domain=sophos123.com
    13587 checking "condition" "${if match_address{$local_part@$domain}{+dns_route_emails}{1}{0}}"...
    13587 static_route_bydns_for_email router skipped: condition failure
    13587 --------> static_route_bydns router <--------
    13587 local_part=test domain=sophos123.com
    13587 checking domains
    13587 static_route_bydns router skipped: domains mismatch
    13587 --------> smart_host_route router <--------
    13587 local_part=test domain=sophos123.com
    13587 checking domains
    13587 checking "condition" "1"...
    13587 calling smart_host_route router
    13587 smart_host_route router called for test@sophos123.com
    13587   domain = sophos123.com
    13587 route_item = * "<, 10.0.0.10,"
    13587 original list of hosts = '<, 10.0.0.10,' options = ''
    13587 expanded list of hosts = '<, 10.0.0.10,' options = ''
    13587 set transport smarthost_smtp
    13587 finding IP address for 10.0.0.10
    13587 calling host_find_byname
    13587 queued for smarthost_smtp transport: local_part = test
    13587 domain = sophos123.com
    13587   errors_to=NULL
    13587   domain_data=NULL local_part_data=NULL
    13587 routed by smart_host_route router
    13587   envelope to: test@sophos123.com
    13587   transport: smarthost_smtp
    13587   host 10.0.0.10 [10.0.0.10]
    13587 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
    13587 After routing:
    13587   Local deliveries:
    13587   Remote deliveries:
    13587     test@sophos123.com
    13587   Failed addresses:
    13587   Deferred addresses:
    13587 qrun-delivery forking for transport
    13587 qrun-delivery forked for transport: 13588
    13588 postfork: transport
    13588 T: smarthost_smtp: for test@sophos123.com
    13588 locking /sdisk/spool/output//db/retry.lockfile
    13588 locking /sdisk/spool/output//db/wait-smarthost_smtp.lockfile
    13587 LOG: MAIN
    13587   ** test@sophos123.com F=<Test.User@internal-test-domain.com> P=<Test.User@internal-test-domain.com> R=smart_host_route T=smarthost_smtp: all hosts for 'sophos123.com' have been failing for a long time (and retry time not reached) DT=0.000s
    2022-07-22 11:28:46.079 [13587] 8cFC4L-hj6O7d-wh ** test@sophos123.com F=<Test.User@internal-test-domain.com> P=<Test.User@internal-test-domain.com> R=smart_host_route T=smarthost_smtp: all hosts for 'sophos123.com' have been failing for a long time (and retry time not reached) DT=0.000s
    13587 qrun-delivery forking for bounce-message
    13587 qrun-delivery forked for bounce-message: 13589
    13589 postfork: bounce-message
    13589 Exim version 4.94.2 uid=0 gid=0 pid=13589 D=4080000
    Support for: crypteq iconv() IPv6 OpenSSL DKIM DNSSEC Event OCSP PIPE_CONNECT PRDR SPF TCP_Fast_Open
    Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch dnsdb dsearch ldap ldapdn ldapm pgsql sqlite
    Authenticators: cram_md5 plaintext
    Routers: accept dnslookup ipliteral manualroute queryprogram redirect
    Transports: appendfile pipe smtp
    Configure owner: 0:0
    Size of off_t: 4
    Compiler: GCC [7.3.0]
    Library version: Glibc: Compile: 2.27
                            Runtime: 2.27
    Library version: BDB: Compile: Berkeley DB 4.7.25: (May 15, 2008)
                          Runtime: Berkeley DB 4.7.25: (May 15, 2008)
    Library version: OpenSSL: Compile: OpenSSL 1.0.2u-fips  20 Dec 2019
                              Runtime: OpenSSL 1.0.2u-fips  20 Dec 2019
                                     : built on: reproducible build, date unspecified
    Library version: spf2: Compile: 1.2.10
                           Runtime: 1.2.10
    Library version: PCRE: Compile: 8.43
                           Runtime: 8.43 2019-02-23
    Library version: SQLite: Compile: 3.32.3
                             Runtime: 3.32.3
    WHITELIST_D_MACROS: "INPUT"
    TRUSTED_CONFIG_LIST unset
    13589 configuration file is /static/proxy/smtp/exim.conf
    13589 log selectors = fffff7bf ffffffff ffffffff
    13589 LOG: MAIN
    13589   cwd=/var/spool/output 10 args: /bin/exim -d=0x4080000 -MCd bounce-message -t -oem -oi -f <> -E8cFC4L-hj6O7d-wh
    2022-07-22 11:28:46.086 [13589] cwd=/var/spool/output 10 args: /bin/exim -d=0x4080000 -MCd bounce-message -t -oem -oi -f <> -E8cFC4L-hj6O7d-wh
    13589 trusted user
    13589 admin user
    13589 LOG: MAIN
    13589   <= <> R=8cFC4L-hj6O7d-wh U=root P=local S=4682 M8S=0 RT=0.004s id*=E1oEoxi-0003XB-2t@Sophos T="Mail delivery failed: returning message to sender"
    2022-07-22 11:28:46.096 [13589] 1oEoxi-0003XB-2t <= <> R=8cFC4L-hj6O7d-wh U=root P=local S=4682 M8S=0 RT=0.004s id*=E1oEoxi-0003XB-2t@Sophos T="Mail delivery failed: returning message to sender" from <> for Test.User@internal-test-domain.com
    13589 >>>>>>>>>>>>>>>> Exim pid=13589 (bounce-message) terminating with rc=0 >>>>>>>>>>>>>>>>
    13587 LOG: MAIN
    13587   Completed QT=8s
    2022-07-22 11:28:46.099 [13587] 8cFC4L-hj6O7d-wh Completed QT=8s
    13587 >>>>>>>>>>>>>>>> Exim pid=13587 (qrun-delivery) terminating with rc=0 >>>>>>>>>>>>>>>>
     5000 1 queue-runner process running
    13676 queue-runner forking for qrun-delivery
    13676 queue-runner forked for qrun-delivery: 13677
    13677 postfork: qrun-delivery
    13677 locking /sdisk/spool/output//db/retry.lockfile
    13677 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
    13677 Considering: Test.User@internal-test-domain.com
    13677 unique = Test.User@internal-test-domain.com
    13677 Test.User@internal-test-domain.com: queued for routing
    13677 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
    13677 routing Test.User@internal-test-domain.com
    13677 --------> router_for_notifications router <--------
    13677 local_part=test.user domain=internal-test-domain.com
    13677 checking "condition" "${if and{{bool_lax{0}}{bool_lax{${if eq{$acl_c1}{1}{1}{0}}}}}}"...
    13677 router_for_notifications router skipped: condition failure
    13677 --------> batv_redirect router <--------
    13677 local_part=test.user domain=internal-test-domain.com
    13677 checking domains
    13677 calling batv_redirect router
    13677 expanded: ''
    13677 file is not a filter file
    13677 parse_forward_list:
    13677 batv_redirect router declined for Test.User@internal-test-domain.com
    13677 --------> static_route_hostlist_for_email router <--------
    13677 local_part=test.user domain=internal-test-domain.com
    13677 checking "condition" "${if match_address{$local_part@$domain}{+hostlist_route_emails}{1}{0}}"...
    13677 calling static_route_hostlist_for_email router
    13677 static_route_hostlist_for_email router called for Test.User@internal-test-domain.com
    13677   domain = internal-test-domain.com
    13677 static_route_hostlist_for_email router declined for Test.User@internal-test-domain.com
    13677 --------> static_route_hostlist router <--------
    13677 local_part=test.user domain=internal-test-domain.com
    13677 checking domains
    13677 calling static_route_hostlist router
    13677 static_route_hostlist router called for Test.User@internal-test-domain.com
    13677   domain = internal-test-domain.com
    13677 original list of hosts = '<;172.30.104.10;' options = ''
    13677 expanded list of hosts = '<;172.30.104.10;' options = ''
    13677 set transport static_smtp
    13677 finding IP address for 172.30.104.10
    13677 calling host_find_byname
    13677 queued for static_smtp transport: local_part = test.user
    13677 domain = internal-test-domain.com
    13677   errors_to=NULL
    13677   domain_data=internal-test-domain.com local_part_data=NULL
    13677 routed by static_route_hostlist router
    13677   envelope to: Test.User@internal-test-domain.com
    13677   transport: static_smtp
    13677   host 172.30.104.10 [172.30.104.10]
    13677 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
    13677 After routing:
    13677   Local deliveries:
    13677   Remote deliveries:
    13677     Test.User@internal-test-domain.com
    13677   Failed addresses:
    13677   Deferred addresses:
    13677 qrun-delivery forking for transport
    13677 qrun-delivery forked for transport: 13678
    13678 postfork: transport
    13678 T: Static_smtp: for test.user@internal-test-domain.com
    13678 locking /sdisk/spool/output//db/retry.lockfile
    13678 I can not find c7, Not attempting firewall relate
    13678 LOG: MAIN
    13678   [172.30.104.10] SSL verify error: depth=0 error=unable to get local issuer certificate cert=/CN=DE43940XX00001
    2022-07-22 11:29:01.085 [13678] 1oEoxi-0003XB-2t [172.30.104.10] SSL verify error: depth=0 error=unable to get local issuer certificate cert=/CN=DE43940XX00001
    13678 LOG: MAIN
    13678   [172.30.104.10] SSL verify error: depth=0 error=unable to verify the first certificate cert=/CN=DE43940XX00001
    2022-07-22 11:29:01.085 [13678] 1oEoxi-0003XB-2t [172.30.104.10] SSL verify error: depth=0 error=unable to verify the first certificate cert=/CN=DE43940XX00001
    13678 locking /sdisk/spool/output//db/wait-static_smtp.lockfile
    13677 LOG: MAIN
    13677   => test.user@internal-test-domain.com <Test.User@internal-test-domain.com> F=<> P=<> R=static_route_hostlist T=static_smtp S=4824 H=172.30.104.10 [172.30.104.10]:25 I=[172.30.104.1]:54352 X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no DN="/CN=DE43940XX00001" L C="250 2.6.0 <E1oEoxi-0003XB-2t@Sophos> [InternalId=11544872091660, Hostname=DE43940XX00001.reimers.zeuscloud.de] 6266 bytes in 0.102, 59,634 KB/sec Queued mail for delivery" QT=15s DT=0.135s
    2022-07-22 11:29:01.296 [13677] 1oEoxi-0003XB-2t => test.user@internal-test-domain.com <Test.User@internal-test-domain.com> F=<> P=<> R=static_route_hostlist T=static_smtp S=4824 H=172.30.104.10 [172.30.104.10]:25 I=[172.30.104.1]:54352 X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no DN="/CN=DE43940XX00001" L C="250 2.6.0 <E1oEoxi-0003XB-2t@Sophos> [InternalId=11544872091660, Hostname=DE43940XX00001.reimers.zeuscloud.de] 6266 bytes in 0.102, 59,634 KB/sec Queued mail for delivery" QT=15s DT=0.135s
    13677 LOG: MAIN
    13677   Completed QT=15s
    2022-07-22 11:29:01.296 [13677] 1oEoxi-0003XB-2t Completed QT=15s
    13677 >>>>>>>>>>>>>>>> Exim pid=13677 (qrun-delivery) terminating with rc=0 >>>>>>>>>>>>>>>>
    

  • Sorry for the delay, Sophos don't like to put logging here........*SPAM*.
    The KB article fixed the connection problem, but now there is a still a problem within the mail protection while try to send the mail to the upstream smarthost.

    It try to post some log here again:

    WHITELIST_D_MACROS: "INPUT"
    TRUSTED_CONFIG_LIST unset
    13589 configuration file is /static/proxy/smtp/exim.conf
    13589 log selectors = fffff7bf ffffffff ffffffff
    13589 LOG: MAIN
    13589 cwd=/var/spool/output 10 args: /bin/exim -d=0x4080000 -MCd bounce-message -t -oem -oi -f <> -E8cFC4L-hj6O7d-wh
    2022-07-22 11:28:46.086 [13589] cwd=/var/spool/output 10 args: /bin/exim -d=0x4080000 -MCd bounce-message -t -oem -oi -f <> -E8cFC4L-hj6O7d-wh
    13589 trusted user
    13589 admin user
    13589 LOG: MAIN
    13589 <= <> R=8cFC4L-hj6O7d-wh U=root P=local S=4682 M8S=0 RT=0.004s id*=E1oEoxi-0003XB-2t@Sophos T="Mail delivery failed: returning message to sender"
    2022-07-22 11:28:46.096 [13589] 1oEoxi-0003XB-2t <= <> R=8cFC4L-hj6O7d-wh U=root P=local S=4682 M8S=0 RT=0.004s id*=E1oEoxi-0003XB-2t@Sophos T="Mail delivery failed: returning message to sender" from <> for Test.User@internal-test-domain.com
    13589 >>>>>>>>>>>>>>>> Exim pid=13589 (bounce-message) terminating with rc=0 >>>>>>>>>>>>>>>>
    13587 LOG: MAIN
    13587 Completed QT=8s

  • try dragging and dropping the log file here !! 

    Thanks & Regards,

    Vivek Jagad | Technical Account Manager 3 | Cyber Security Evolved


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

Reply Children
  • logfile.txt
    2022-07-22 11:28:38.735 [5001] SMTP connection from [172.30.104.10]:37190 I=[172.30.104.1]:25 (TCP/IP connection count = 1)
    2022-07-22 11:28:38.770 [13567] [172.30.104.10] F=<Test.User@internal-test-domain.com> R=<test@sophos123.com> Accepted from relay list
    2022-07-22 11:28:38.775 [13567] 1oEoxa-0003Wp-Or <= Test.User@internal-test-domain.com H=(DE43940XX00001.reimers.zeuscloud.de) [172.30.104.10]:37190 I=[172.30.104.1]:25 P=esmtps L. X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no S=3414 M8S=0 RT=0.002s id=41bab319d48148699774b976b345b448@internal-test-domain.com T="test" from <Test.User@internal-test-domain.com> for test@sophos123.com
    MSG   Jul 22 11:28:38 [ T_SMTPD-M]: new mail queued, add to inqueue '1oEoxa-0003Wp-Or-D'
    2022-07-22 11:28:38.776 [13567] SMTP connection from (DE43940XX00001.reimers.zeuscloud.de) [172.30.104.10]:37190 I=[172.30.104.1]:25 closed by QUIT
    MSG   Jul 22 11:28:39 [ T_SMTPD-W]: Mail assigned to 'MS-4990' for scanning '1oEoxa-0003Wp-Or-D'
    MSG   Jul 22 11:28:39 [   MS-4990]: scan request 1oEoxa-0003Wp-Or-D
    MSG   Jul 22 11:28:39 [   MS-4990]: S='Test.User@internal-test-domain.com' R='test@sophos123.com' Subject='test' Size='3414' Status='Mail has been queued for delivery.' src_ip='172.30.104.10' src_port=37190 user_id=0 user_grp_id=0 fw_id=0 src_zone_id=3
    MSG   Jul 22 11:28:39 [1oEoxa-0003Wp-Or]: [0x8b6ff600] FROM: Test.User@internal-test-domain.com , TO: test@sophos123.com
    MSG   Jul 22 11:28:39 [1oEoxa-0003Wp-Or]: move '8cFC4L-hj6O7d-wh' to forwarder queue
    MSG   Jul 22 11:28:39 [1oEoxa-0003Wp-Or]: 8cFC4L-hj6O7d-wh <= Test.User@internal-test-domain.com R=1oEoxa-0003Wp-Or
    MSG   Jul 22 11:28:39 [   MS-4990]: processing for 1oEoxa-0003Wp-Or completed
    MSG   Jul 22 11:28:39 [ T_SMTPD-W]: [SMTPD] read returned 8 bytes
    MSG   Jul 22 11:28:39 [ T_SMTPD-W]: [SMTPD] mail '1oEoxa-0003Wp-Or-D' processed sucessfully
    MSG   Jul 22 11:28:39 [ T_SMTPD-W]: [SMTPD] smtpd read blocked
     5000 1 queue-runner process running
    13586 queue-runner forking for qrun-delivery
    13586 queue-runner forked for qrun-delivery: 13587
    13587 postfork: qrun-delivery
    13587 locking /sdisk/spool/output//db/retry.lockfile
    13587 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
    13587 Considering: test@sophos123.com
    13587 unique = test@sophos123.com
    13587 test@sophos123.com: queued for routing
    13587 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
    13587 routing test@sophos123.com
    13587 --------> router_for_notifications router <--------
    13587 local_part=test domain=sophos123.com
    13587 checking "condition" "${if and{{bool_lax{0}}{bool_lax{${if eq{$acl_c1}{1}{1}{0}}}}}}"...
    13587 router_for_notifications router skipped: condition failure
    13587 --------> batv_redirect router <--------
    13587 local_part=test domain=sophos123.com
    13587 checking domains
    13587 batv_redirect router skipped: domains mismatch
    13587 --------> static_route_hostlist_for_email router <--------
    13587 local_part=test domain=sophos123.com
    13587 checking "condition" "${if match_address{$local_part@$domain}{+hostlist_route_emails}{1}{0}}"...
    13587 static_route_hostlist_for_email router skipped: condition failure
    13587 --------> static_route_hostlist router <--------
    13587 local_part=test domain=sophos123.com
    13587 checking domains
    13587 static_route_hostlist router skipped: domains mismatch
    13587 --------> static_route_bymx_for_email router <--------
    13587 local_part=test domain=sophos123.com
    13587 checking "condition" "${if match_address{$local_part@$domain}{+mx_route_emails}{1}{0}}"...
    13587 static_route_bymx_for_email router skipped: condition failure
    13587 --------> static_route_bymx router <--------
    13587 local_part=test domain=sophos123.com
    13587 checking domains
    13587 static_route_bymx router skipped: domains mismatch
    13587 --------> static_route_bydns_for_email router <--------
    13587 local_part=test domain=sophos123.com
    13587 checking "condition" "${if match_address{$local_part@$domain}{+dns_route_emails}{1}{0}}"...
    13587 static_route_bydns_for_email router skipped: condition failure
    13587 --------> static_route_bydns router <--------
    13587 local_part=test domain=sophos123.com
    13587 checking domains
    13587 static_route_bydns router skipped: domains mismatch
    13587 --------> smart_host_route router <--------
    13587 local_part=test domain=sophos123.com
    13587 checking domains
    13587 checking "condition" "1"...
    13587 calling smart_host_route router
    13587 smart_host_route router called for test@sophos123.com
    13587   domain = sophos123.com
    13587 route_item = * "<, 10.0.0.10,"
    13587 original list of hosts = '<, 10.0.0.10,' options = ''
    13587 expanded list of hosts = '<, 10.0.0.10,' options = ''
    13587 set transport smarthost_smtp
    13587 finding IP address for 10.0.0.10
    13587 calling host_find_byname
    13587 queued for smarthost_smtp transport: local_part = test
    13587 domain = sophos123.com
    13587   errors_to=NULL
    13587   domain_data=NULL local_part_data=NULL
    13587 routed by smart_host_route router
    13587   envelope to: test@sophos123.com
    13587   transport: smarthost_smtp
    13587   host 10.0.0.10 [10.0.0.10]
    13587 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
    13587 After routing:
    13587   Local deliveries:
    13587   Remote deliveries:
    13587     test@sophos123.com
    13587   Failed addresses:
    13587   Deferred addresses:
    13587 qrun-delivery forking for transport
    13587 qrun-delivery forked for transport: 13588
    13588 postfork: transport
    13588 T: smarthost_smtp: for test@sophos123.com
    13588 locking /sdisk/spool/output//db/retry.lockfile
    13588 locking /sdisk/spool/output//db/wait-smarthost_smtp.lockfile
    13587 LOG: MAIN
    13587   ** test@sophos123.com F=<Test.User@internal-test-domain.com> P=<Test.User@internal-test-domain.com> R=smart_host_route T=smarthost_smtp: all hosts for 'sophos123.com' have been failing for a long time (and retry time not reached) DT=0.000s
    2022-07-22 11:28:46.079 [13587] 8cFC4L-hj6O7d-wh ** test@sophos123.com F=<Test.User@internal-test-domain.com> P=<Test.User@internal-test-domain.com> R=smart_host_route T=smarthost_smtp: all hosts for 'sophos123.com' have been failing for a long time (and retry time not reached) DT=0.000s
    13587 qrun-delivery forking for bounce-message
    13587 qrun-delivery forked for bounce-message: 13589
    13589 postfork: bounce-message
    13589 Exim version 4.94.2 uid=0 gid=0 pid=13589 D=4080000
    Support for: crypteq iconv() IPv6 OpenSSL DKIM DNSSEC Event OCSP PIPE_CONNECT PRDR SPF TCP_Fast_Open
    Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch dnsdb dsearch ldap ldapdn ldapm pgsql sqlite
    Authenticators: cram_md5 plaintext
    Routers: accept dnslookup ipliteral manualroute queryprogram redirect
    Transports: appendfile pipe smtp
    Configure owner: 0:0
    Size of off_t: 4
    Compiler: GCC [7.3.0]
    Library version: Glibc: Compile: 2.27
                            Runtime: 2.27
    Library version: BDB: Compile: Berkeley DB 4.7.25: (May 15, 2008)
                          Runtime: Berkeley DB 4.7.25: (May 15, 2008)
    Library version: OpenSSL: Compile: OpenSSL 1.0.2u-fips  20 Dec 2019
                              Runtime: OpenSSL 1.0.2u-fips  20 Dec 2019
                                     : built on: reproducible build, date unspecified
    Library version: spf2: Compile: 1.2.10
                           Runtime: 1.2.10
    Library version: PCRE: Compile: 8.43
                           Runtime: 8.43 2019-02-23
    Library version: SQLite: Compile: 3.32.3
                             Runtime: 3.32.3
    WHITELIST_D_MACROS: "INPUT"
    TRUSTED_CONFIG_LIST unset
    13589 configuration file is /static/proxy/smtp/exim.conf
    13589 log selectors = fffff7bf ffffffff ffffffff
    13589 LOG: MAIN
    13589   cwd=/var/spool/output 10 args: /bin/exim -d=0x4080000 -MCd bounce-message -t -oem -oi -f <> -E8cFC4L-hj6O7d-wh
    2022-07-22 11:28:46.086 [13589] cwd=/var/spool/output 10 args: /bin/exim -d=0x4080000 -MCd bounce-message -t -oem -oi -f <> -E8cFC4L-hj6O7d-wh
    13589 trusted user
    13589 admin user
    13589 LOG: MAIN
    13589   <= <> R=8cFC4L-hj6O7d-wh U=root P=local S=4682 M8S=0 RT=0.004s id*=E1oEoxi-0003XB-2t@Sophos T="Mail delivery failed: returning message to sender"
    2022-07-22 11:28:46.096 [13589] 1oEoxi-0003XB-2t <= <> R=8cFC4L-hj6O7d-wh U=root P=local S=4682 M8S=0 RT=0.004s id*=E1oEoxi-0003XB-2t@Sophos T="Mail delivery failed: returning message to sender" from <> for Test.User@internal-test-domain.com
    13589 >>>>>>>>>>>>>>>> Exim pid=13589 (bounce-message) terminating with rc=0 >>>>>>>>>>>>>>>>
    13587 LOG: MAIN
    13587   Completed QT=8s
    2022-07-22 11:28:46.099 [13587] 8cFC4L-hj6O7d-wh Completed QT=8s
    13587 >>>>>>>>>>>>>>>> Exim pid=13587 (qrun-delivery) terminating with rc=0 >>>>>>>>>>>>>>>>
     5000 1 queue-runner process running
    13676 queue-runner forking for qrun-delivery
    13676 queue-runner forked for qrun-delivery: 13677
    13677 postfork: qrun-delivery
    13677 locking /sdisk/spool/output//db/retry.lockfile
    13677 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
    13677 Considering: Test.User@internal-test-domain.com
    13677 unique = Test.User@internal-test-domain.com
    13677 Test.User@internal-test-domain.com: queued for routing
    13677 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
    13677 routing Test.User@internal-test-domain.com
    13677 --------> router_for_notifications router <--------
    13677 local_part=test.user domain=internal-test-domain.com
    13677 checking "condition" "${if and{{bool_lax{0}}{bool_lax{${if eq{$acl_c1}{1}{1}{0}}}}}}"...
    13677 router_for_notifications router skipped: condition failure
    13677 --------> batv_redirect router <--------
    13677 local_part=test.user domain=internal-test-domain.com
    13677 checking domains
    13677 calling batv_redirect router
    13677 expanded: ''
    13677 file is not a filter file
    13677 parse_forward_list:
    13677 batv_redirect router declined for Test.User@internal-test-domain.com
    13677 --------> static_route_hostlist_for_email router <--------
    13677 local_part=test.user domain=internal-test-domain.com
    13677 checking "condition" "${if match_address{$local_part@$domain}{+hostlist_route_emails}{1}{0}}"...
    13677 calling static_route_hostlist_for_email router
    13677 static_route_hostlist_for_email router called for Test.User@internal-test-domain.com
    13677   domain = internal-test-domain.com
    13677 static_route_hostlist_for_email router declined for Test.User@internal-test-domain.com
    13677 --------> static_route_hostlist router <--------
    13677 local_part=test.user domain=internal-test-domain.com
    13677 checking domains
    13677 calling static_route_hostlist router
    13677 static_route_hostlist router called for Test.User@internal-test-domain.com
    13677   domain = internal-test-domain.com
    13677 original list of hosts = '<;172.30.104.10;' options = ''
    13677 expanded list of hosts = '<;172.30.104.10;' options = ''
    13677 set transport static_smtp
    13677 finding IP address for 172.30.104.10
    13677 calling host_find_byname
    13677 queued for static_smtp transport: local_part = test.user
    13677 domain = internal-test-domain.com
    13677   errors_to=NULL
    13677   domain_data=internal-test-domain.com local_part_data=NULL
    13677 routed by static_route_hostlist router
    13677   envelope to: Test.User@internal-test-domain.com
    13677   transport: static_smtp
    13677   host 172.30.104.10 [172.30.104.10]
    13677 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
    13677 After routing:
    13677   Local deliveries:
    13677   Remote deliveries:
    13677     Test.User@internal-test-domain.com
    13677   Failed addresses:
    13677   Deferred addresses:
    13677 qrun-delivery forking for transport
    13677 qrun-delivery forked for transport: 13678
    13678 postfork: transport
    13678 T: Static_smtp: for test.user@internal-test-domain.com
    13678 locking /sdisk/spool/output//db/retry.lockfile
    13678 I can not find c7, Not attempting firewall relate
    13678 LOG: MAIN
    13678   [172.30.104.10] SSL verify error: depth=0 error=unable to get local issuer certificate cert=/CN=DE43940XX00001
    2022-07-22 11:29:01.085 [13678] 1oEoxi-0003XB-2t [172.30.104.10] SSL verify error: depth=0 error=unable to get local issuer certificate cert=/CN=DE43940XX00001
    13678 LOG: MAIN
    13678   [172.30.104.10] SSL verify error: depth=0 error=unable to verify the first certificate cert=/CN=DE43940XX00001
    2022-07-22 11:29:01.085 [13678] 1oEoxi-0003XB-2t [172.30.104.10] SSL verify error: depth=0 error=unable to verify the first certificate cert=/CN=DE43940XX00001
    13678 locking /sdisk/spool/output//db/wait-static_smtp.lockfile
    13677 LOG: MAIN
    13677   => test.user@internal-test-domain.com <Test.User@internal-test-domain.com> F=<> P=<> R=static_route_hostlist T=static_smtp S=4824 H=172.30.104.10 [172.30.104.10]:25 I=[172.30.104.1]:54352 X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no DN="/CN=DE43940XX00001" L C="250 2.6.0 <E1oEoxi-0003XB-2t@Sophos> [InternalId=11544872091660, Hostname=DE43940XX00001.reimers.zeuscloud.de] 6266 bytes in 0.102, 59,634 KB/sec Queued mail for delivery" QT=15s DT=0.135s
    2022-07-22 11:29:01.296 [13677] 1oEoxi-0003XB-2t => test.user@internal-test-domain.com <Test.User@internal-test-domain.com> F=<> P=<> R=static_route_hostlist T=static_smtp S=4824 H=172.30.104.10 [172.30.104.10]:25 I=[172.30.104.1]:54352 X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no DN="/CN=DE43940XX00001" L C="250 2.6.0 <E1oEoxi-0003XB-2t@Sophos> [InternalId=11544872091660, Hostname=DE43940XX00001.reimers.zeuscloud.de] 6266 bytes in 0.102, 59,634 KB/sec Queued mail for delivery" QT=15s DT=0.135s
    13677 LOG: MAIN
    13677   Completed QT=15s
    2022-07-22 11:29:01.296 [13677] 1oEoxi-0003XB-2t Completed QT=15s
    13677 >>>>>>>>>>>>>>>> Exim pid=13677 (qrun-delivery) terminating with rc=0 >>>>>>>>>>>>>>>>
    

  • Hello ,

    Thank you for the update, can you share the screenshot of the following path:
    > Email > General settings > SMTP TLS configurations
    > Certificates > Certificate authorities > Default
     

    Thanks & Regards,

    Vivek Jagad | Technical Account Manager 3 | Cyber Security Evolved


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • You're great, thank you so much :).
    Here are the screenshots:

  • You're welcome , If it has helped you can click on verify button. And it seems the default cert is not filled properly, so would recommend fill the cert and save it !!  

    Thanks & Regards,

    Vivek Jagad | Technical Account Manager 3 | Cyber Security Evolved


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • Great, that's it. together with the NAT everything works as it should.

    Thanks again for your patience and help

  • You're welcome Cheers !!

    Thanks & Regards,

    Vivek Jagad | Technical Account Manager 3 | Cyber Security Evolved


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.