Hello,
an XG uses a smarthost in the upstream to send and receive mails towards the internet. My problem is that the XG sends outgoing mails already on the right interface, but here is a transfer network towards the smart host, which is private and not public, the upstream smart host knows no route to the IP that the Sophos uses. I have already tried everything with NAT, but nothing seems to work here.
Help :)
Hello Sophos User2126,Thank you for reaching to community, So if I understood it correct you have an on premise smarthost which you want to utilize under email > general settings > Smarthost settings…
Hello Sophos User2126,Thank you for reaching to community, So if I understood it correct you have an on premise smarthost which you want to utilize under email > general settings > Smarthost settings. If that is a case you can create a DNAT for that on premise server: https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/RulesAndPolicies/NATRules/RulesPoliciesCreateDNATAndFirewallRulesForInternalServers/index.html
Thanks & Regards,
Vivek Jagad | Technical Account Manager 3 | Cyber Security Evolved
Sophos Community | Product Documentation | Sophos Techvids | SMSIf a post solves your question please use the 'Verify Answer' button.
Hi, this also works to run Sophos itself (the MTA service) over the NAT?
Sure tcpdump, packetcapture can help understand !!
So, the connection is okay now, but it seems there is another issue with mail-protection itself, according due to the mail delivery to the upstream smarthost.
In the General config tab I disabled nearly anything that would scan or block something. In the log file I just can't find the error why the mail is still bounced now.
Trying to send via Outlook from Test.User@internal-test-domain.com TO test@sophos123.com (does not exist)
2022-07-22 11:28:38.735 [5001] SMTP connection from [172.30.104.10]:37190 I=[172.30.104.1]:25 (TCP/IP connection count = 1) 2022-07-22 11:28:38.770 [13567] [172.30.104.10] F=<Test.User@internal-test-domain.com> R=<test@sophos123.com> Accepted from relay list 2022-07-22 11:28:38.775 [13567] 1oEoxa-0003Wp-Or <= Test.User@internal-test-domain.com H=(DE43940XX00001.reimers.zeuscloud.de) [172.30.104.10]:37190 I=[172.30.104.1]:25 P=esmtps L. X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no S=3414 M8S=0 RT=0.002s id=41bab319d48148699774b976b345b448@internal-test-domain.com T="test" from <Test.User@internal-test-domain.com> for test@sophos123.com MSG Jul 22 11:28:38 [ T_SMTPD-M]: new mail queued, add to inqueue '1oEoxa-0003Wp-Or-D' 2022-07-22 11:28:38.776 [13567] SMTP connection from (DE43940XX00001.reimers.zeuscloud.de) [172.30.104.10]:37190 I=[172.30.104.1]:25 closed by QUIT MSG Jul 22 11:28:39 [ T_SMTPD-W]: Mail assigned to 'MS-4990' for scanning '1oEoxa-0003Wp-Or-D' MSG Jul 22 11:28:39 [ MS-4990]: scan request 1oEoxa-0003Wp-Or-D MSG Jul 22 11:28:39 [ MS-4990]: S='Test.User@internal-test-domain.com' R='test@sophos123.com' Subject='test' Size='3414' Status='Mail has been queued for delivery.' src_ip='172.30.104.10' src_port=37190 user_id=0 user_grp_id=0 fw_id=0 src_zone_id=3 MSG Jul 22 11:28:39 [1oEoxa-0003Wp-Or]: [0x8b6ff600] FROM: Test.User@internal-test-domain.com , TO: test@sophos123.com MSG Jul 22 11:28:39 [1oEoxa-0003Wp-Or]: move '8cFC4L-hj6O7d-wh' to forwarder queue MSG Jul 22 11:28:39 [1oEoxa-0003Wp-Or]: 8cFC4L-hj6O7d-wh <= Test.User@internal-test-domain.com R=1oEoxa-0003Wp-Or MSG Jul 22 11:28:39 [ MS-4990]: processing for 1oEoxa-0003Wp-Or completed MSG Jul 22 11:28:39 [ T_SMTPD-W]: [SMTPD] read returned 8 bytes MSG Jul 22 11:28:39 [ T_SMTPD-W]: [SMTPD] mail '1oEoxa-0003Wp-Or-D' processed sucessfully MSG Jul 22 11:28:39 [ T_SMTPD-W]: [SMTPD] smtpd read blocked 5000 1 queue-runner process running 13586 queue-runner forking for qrun-delivery 13586 queue-runner forked for qrun-delivery: 13587 13587 postfork: qrun-delivery 13587 locking /sdisk/spool/output//db/retry.lockfile 13587 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 13587 Considering: test@sophos123.com 13587 unique = test@sophos123.com 13587 test@sophos123.com: queued for routing 13587 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 13587 routing test@sophos123.com 13587 --------> router_for_notifications router <-------- 13587 local_part=test domain=sophos123.com 13587 checking "condition" "${if and{{bool_lax{0}}{bool_lax{${if eq{$acl_c1}{1}{1}{0}}}}}}"... 13587 router_for_notifications router skipped: condition failure 13587 --------> batv_redirect router <-------- 13587 local_part=test domain=sophos123.com 13587 checking domains 13587 batv_redirect router skipped: domains mismatch 13587 --------> static_route_hostlist_for_email router <-------- 13587 local_part=test domain=sophos123.com 13587 checking "condition" "${if match_address{$local_part@$domain}{+hostlist_route_emails}{1}{0}}"... 13587 static_route_hostlist_for_email router skipped: condition failure 13587 --------> static_route_hostlist router <-------- 13587 local_part=test domain=sophos123.com 13587 checking domains 13587 static_route_hostlist router skipped: domains mismatch 13587 --------> static_route_bymx_for_email router <-------- 13587 local_part=test domain=sophos123.com 13587 checking "condition" "${if match_address{$local_part@$domain}{+mx_route_emails}{1}{0}}"... 13587 static_route_bymx_for_email router skipped: condition failure 13587 --------> static_route_bymx router <-------- 13587 local_part=test domain=sophos123.com 13587 checking domains 13587 static_route_bymx router skipped: domains mismatch 13587 --------> static_route_bydns_for_email router <-------- 13587 local_part=test domain=sophos123.com 13587 checking "condition" "${if match_address{$local_part@$domain}{+dns_route_emails}{1}{0}}"... 13587 static_route_bydns_for_email router skipped: condition failure 13587 --------> static_route_bydns router <-------- 13587 local_part=test domain=sophos123.com 13587 checking domains 13587 static_route_bydns router skipped: domains mismatch 13587 --------> smart_host_route router <-------- 13587 local_part=test domain=sophos123.com 13587 checking domains 13587 checking "condition" "1"... 13587 calling smart_host_route router 13587 smart_host_route router called for test@sophos123.com 13587 domain = sophos123.com 13587 route_item = * "<, 10.0.0.10," 13587 original list of hosts = '<, 10.0.0.10,' options = '' 13587 expanded list of hosts = '<, 10.0.0.10,' options = '' 13587 set transport smarthost_smtp 13587 finding IP address for 10.0.0.10 13587 calling host_find_byname 13587 queued for smarthost_smtp transport: local_part = test 13587 domain = sophos123.com 13587 errors_to=NULL 13587 domain_data=NULL local_part_data=NULL 13587 routed by smart_host_route router 13587 envelope to: test@sophos123.com 13587 transport: smarthost_smtp 13587 host 10.0.0.10 [10.0.0.10] 13587 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 13587 After routing: 13587 Local deliveries: 13587 Remote deliveries: 13587 test@sophos123.com 13587 Failed addresses: 13587 Deferred addresses: 13587 qrun-delivery forking for transport 13587 qrun-delivery forked for transport: 13588 13588 postfork: transport 13588 T: smarthost_smtp: for test@sophos123.com 13588 locking /sdisk/spool/output//db/retry.lockfile 13588 locking /sdisk/spool/output//db/wait-smarthost_smtp.lockfile 13587 LOG: MAIN 13587 ** test@sophos123.com F=<Test.User@internal-test-domain.com> P=<Test.User@internal-test-domain.com> R=smart_host_route T=smarthost_smtp: all hosts for 'sophos123.com' have been failing for a long time (and retry time not reached) DT=0.000s 2022-07-22 11:28:46.079 [13587] 8cFC4L-hj6O7d-wh ** test@sophos123.com F=<Test.User@internal-test-domain.com> P=<Test.User@internal-test-domain.com> R=smart_host_route T=smarthost_smtp: all hosts for 'sophos123.com' have been failing for a long time (and retry time not reached) DT=0.000s 13587 qrun-delivery forking for bounce-message 13587 qrun-delivery forked for bounce-message: 13589 13589 postfork: bounce-message 13589 Exim version 4.94.2 uid=0 gid=0 pid=13589 D=4080000 Support for: crypteq iconv() IPv6 OpenSSL DKIM DNSSEC Event OCSP PIPE_CONNECT PRDR SPF TCP_Fast_Open Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch dnsdb dsearch ldap ldapdn ldapm pgsql sqlite Authenticators: cram_md5 plaintext Routers: accept dnslookup ipliteral manualroute queryprogram redirect Transports: appendfile pipe smtp Configure owner: 0:0 Size of off_t: 4 Compiler: GCC [7.3.0] Library version: Glibc: Compile: 2.27 Runtime: 2.27 Library version: BDB: Compile: Berkeley DB 4.7.25: (May 15, 2008) Runtime: Berkeley DB 4.7.25: (May 15, 2008) Library version: OpenSSL: Compile: OpenSSL 1.0.2u-fips 20 Dec 2019 Runtime: OpenSSL 1.0.2u-fips 20 Dec 2019 : built on: reproducible build, date unspecified Library version: spf2: Compile: 1.2.10 Runtime: 1.2.10 Library version: PCRE: Compile: 8.43 Runtime: 8.43 2019-02-23 Library version: SQLite: Compile: 3.32.3 Runtime: 3.32.3 WHITELIST_D_MACROS: "INPUT" TRUSTED_CONFIG_LIST unset 13589 configuration file is /static/proxy/smtp/exim.conf 13589 log selectors = fffff7bf ffffffff ffffffff 13589 LOG: MAIN 13589 cwd=/var/spool/output 10 args: /bin/exim -d=0x4080000 -MCd bounce-message -t -oem -oi -f <> -E8cFC4L-hj6O7d-wh 2022-07-22 11:28:46.086 [13589] cwd=/var/spool/output 10 args: /bin/exim -d=0x4080000 -MCd bounce-message -t -oem -oi -f <> -E8cFC4L-hj6O7d-wh 13589 trusted user 13589 admin user 13589 LOG: MAIN 13589 <= <> R=8cFC4L-hj6O7d-wh U=root P=local S=4682 M8S=0 RT=0.004s id*=E1oEoxi-0003XB-2t@Sophos T="Mail delivery failed: returning message to sender" 2022-07-22 11:28:46.096 [13589] 1oEoxi-0003XB-2t <= <> R=8cFC4L-hj6O7d-wh U=root P=local S=4682 M8S=0 RT=0.004s id*=E1oEoxi-0003XB-2t@Sophos T="Mail delivery failed: returning message to sender" from <> for Test.User@internal-test-domain.com 13589 >>>>>>>>>>>>>>>> Exim pid=13589 (bounce-message) terminating with rc=0 >>>>>>>>>>>>>>>> 13587 LOG: MAIN 13587 Completed QT=8s 2022-07-22 11:28:46.099 [13587] 8cFC4L-hj6O7d-wh Completed QT=8s 13587 >>>>>>>>>>>>>>>> Exim pid=13587 (qrun-delivery) terminating with rc=0 >>>>>>>>>>>>>>>> 5000 1 queue-runner process running 13676 queue-runner forking for qrun-delivery 13676 queue-runner forked for qrun-delivery: 13677 13677 postfork: qrun-delivery 13677 locking /sdisk/spool/output//db/retry.lockfile 13677 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 13677 Considering: Test.User@internal-test-domain.com 13677 unique = Test.User@internal-test-domain.com 13677 Test.User@internal-test-domain.com: queued for routing 13677 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 13677 routing Test.User@internal-test-domain.com 13677 --------> router_for_notifications router <-------- 13677 local_part=test.user domain=internal-test-domain.com 13677 checking "condition" "${if and{{bool_lax{0}}{bool_lax{${if eq{$acl_c1}{1}{1}{0}}}}}}"... 13677 router_for_notifications router skipped: condition failure 13677 --------> batv_redirect router <-------- 13677 local_part=test.user domain=internal-test-domain.com 13677 checking domains 13677 calling batv_redirect router 13677 expanded: '' 13677 file is not a filter file 13677 parse_forward_list: 13677 batv_redirect router declined for Test.User@internal-test-domain.com 13677 --------> static_route_hostlist_for_email router <-------- 13677 local_part=test.user domain=internal-test-domain.com 13677 checking "condition" "${if match_address{$local_part@$domain}{+hostlist_route_emails}{1}{0}}"... 13677 calling static_route_hostlist_for_email router 13677 static_route_hostlist_for_email router called for Test.User@internal-test-domain.com 13677 domain = internal-test-domain.com 13677 static_route_hostlist_for_email router declined for Test.User@internal-test-domain.com 13677 --------> static_route_hostlist router <-------- 13677 local_part=test.user domain=internal-test-domain.com 13677 checking domains 13677 calling static_route_hostlist router 13677 static_route_hostlist router called for Test.User@internal-test-domain.com 13677 domain = internal-test-domain.com 13677 original list of hosts = '<;172.30.104.10;' options = '' 13677 expanded list of hosts = '<;172.30.104.10;' options = '' 13677 set transport static_smtp 13677 finding IP address for 172.30.104.10 13677 calling host_find_byname 13677 queued for static_smtp transport: local_part = test.user 13677 domain = internal-test-domain.com 13677 errors_to=NULL 13677 domain_data=internal-test-domain.com local_part_data=NULL 13677 routed by static_route_hostlist router 13677 envelope to: Test.User@internal-test-domain.com 13677 transport: static_smtp 13677 host 172.30.104.10 [172.30.104.10] 13677 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 13677 After routing: 13677 Local deliveries: 13677 Remote deliveries: 13677 Test.User@internal-test-domain.com 13677 Failed addresses: 13677 Deferred addresses: 13677 qrun-delivery forking for transport 13677 qrun-delivery forked for transport: 13678 13678 postfork: transport 13678 T: Static_smtp: for test.user@internal-test-domain.com 13678 locking /sdisk/spool/output//db/retry.lockfile 13678 I can not find c7, Not attempting firewall relate 13678 LOG: MAIN 13678 [172.30.104.10] SSL verify error: depth=0 error=unable to get local issuer certificate cert=/CN=DE43940XX00001 2022-07-22 11:29:01.085 [13678] 1oEoxi-0003XB-2t [172.30.104.10] SSL verify error: depth=0 error=unable to get local issuer certificate cert=/CN=DE43940XX00001 13678 LOG: MAIN 13678 [172.30.104.10] SSL verify error: depth=0 error=unable to verify the first certificate cert=/CN=DE43940XX00001 2022-07-22 11:29:01.085 [13678] 1oEoxi-0003XB-2t [172.30.104.10] SSL verify error: depth=0 error=unable to verify the first certificate cert=/CN=DE43940XX00001 13678 locking /sdisk/spool/output//db/wait-static_smtp.lockfile 13677 LOG: MAIN 13677 => test.user@internal-test-domain.com <Test.User@internal-test-domain.com> F=<> P=<> R=static_route_hostlist T=static_smtp S=4824 H=172.30.104.10 [172.30.104.10]:25 I=[172.30.104.1]:54352 X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no DN="/CN=DE43940XX00001" L C="250 2.6.0 <E1oEoxi-0003XB-2t@Sophos> [InternalId=11544872091660, Hostname=DE43940XX00001.reimers.zeuscloud.de] 6266 bytes in 0.102, 59,634 KB/sec Queued mail for delivery" QT=15s DT=0.135s 2022-07-22 11:29:01.296 [13677] 1oEoxi-0003XB-2t => test.user@internal-test-domain.com <Test.User@internal-test-domain.com> F=<> P=<> R=static_route_hostlist T=static_smtp S=4824 H=172.30.104.10 [172.30.104.10]:25 I=[172.30.104.1]:54352 X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no DN="/CN=DE43940XX00001" L C="250 2.6.0 <E1oEoxi-0003XB-2t@Sophos> [InternalId=11544872091660, Hostname=DE43940XX00001.reimers.zeuscloud.de] 6266 bytes in 0.102, 59,634 KB/sec Queued mail for delivery" QT=15s DT=0.135s 13677 LOG: MAIN 13677 Completed QT=15s 2022-07-22 11:29:01.296 [13677] 1oEoxi-0003XB-2t Completed QT=15s 13677 >>>>>>>>>>>>>>>> Exim pid=13677 (qrun-delivery) terminating with rc=0 >>>>>>>>>>>>>>>>
Sorry for the delay, Sophos don't like to put logging here........*SPAM*.The KB article fixed the connection problem, but now there is a still a problem within the mail protection while try to send the mail to the upstream smarthost.
It try to post some log here again:
WHITELIST_D_MACROS: "INPUT"TRUSTED_CONFIG_LIST unset13589 configuration file is /static/proxy/smtp/exim.conf13589 log selectors = fffff7bf ffffffff ffffffff13589 LOG: MAIN13589 cwd=/var/spool/output 10 args: /bin/exim -d=0x4080000 -MCd bounce-message -t -oem -oi -f <> -E8cFC4L-hj6O7d-wh2022-07-22 11:28:46.086 [13589] cwd=/var/spool/output 10 args: /bin/exim -d=0x4080000 -MCd bounce-message -t -oem -oi -f <> -E8cFC4L-hj6O7d-wh13589 trusted user13589 admin user13589 LOG: MAIN13589 <= <> R=8cFC4L-hj6O7d-wh U=root P=local S=4682 M8S=0 RT=0.004s id*=E1oEoxi-0003XB-2t@Sophos T="Mail delivery failed: returning message to sender"2022-07-22 11:28:46.096 [13589] 1oEoxi-0003XB-2t <= <> R=8cFC4L-hj6O7d-wh U=root P=local S=4682 M8S=0 RT=0.004s id*=E1oEoxi-0003XB-2t@Sophos T="Mail delivery failed: returning message to sender" from <> for Test.User@internal-test-domain.com13589 >>>>>>>>>>>>>>>> Exim pid=13589 (bounce-message) terminating with rc=0 >>>>>>>>>>>>>>>>13587 LOG: MAIN13587 Completed QT=8s
Sophos User2126 try dragging and dropping the log file here !!
Hello Sophos User2126,Thank you for the update, can you share the screenshot of the following path:> Email > General settings > SMTP TLS configurations> Certificates > Certificate authorities > Default
You're great, thank you so much :).Here are the screenshots:
You're welcome Sophos User2126, If it has helped you can click on verify button. And it seems the default cert is not filled properly, so would recommend fill the cert and save it !!
Great, that's it. together with the NAT everything works as it should.
Thanks again for your patience and help
You're welcome Sophos User2126 Cheers !!