This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Smarthost - Outgoing Interface + NAT

Hello,

an XG uses a smarthost in the upstream to send and receive mails towards the internet.
My problem is that the XG sends outgoing mails already on the right interface, but here is a transfer network towards the smart host, which is private and not public, the upstream smart host knows no route to the IP that the Sophos uses.
I have already tried everything with NAT, but nothing seems to work here.

Help :)

This thread was automatically locked due to age.

Top Replies

Vivek Jagad 4 months ago +1 suggested

Hello Sophos User2126 , Thank you for reaching to community, So if I understood it correct you have an on premise smarthost which you want to utilize under email > general settings > Smarthost settings…

Parents

0 Vivek Jagad 4 months ago

Hello Sophos User2126,

Thank you for reaching to community, So if I understood it correct you have an on premise smarthost which you want to utilize under email > general settings > Smarthost settings. If that is a case you can create a DNAT for that on premise server: https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/RulesAndPolicies/NATRules/RulesPoliciesCreateDNATAndFirewallRulesForInternalServers/index.html

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Technical Account Manager 3 | Cyber Security Evolved

Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up +1 Vote Down

Cancel
0 Sophos User2126 4 months ago in reply to Vivek Jagad

Hi,
this also works to run Sophos itself (the MTA service) over the NAT?
Cancel
Vote Up 0 Vote Down

Cancel
0 Vivek Jagad 4 months ago in reply to Sophos User2126

Sure tcpdump, packetcapture can help understand !!

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Technical Account Manager 3 | Cyber Security Evolved

Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel

0 Sophos User2126 4 months ago in reply to Vivek Jagad

So, the connection is okay now, but it seems there is another issue with mail-protection itself, according due to the mail delivery to the upstream smarthost.

In the General config tab I disabled nearly anything that would scan or block something. In the log file I just can't find the error why the mail is still bounced now.

Trying to send via Outlook from Test.User@internal-test-domain.com TO test@sophos123.com (does not exist)

2022-07-22 11:28:38.735 [5001] SMTP connection from [172.30.104.10]:37190 I=[172.30.104.1]:25 (TCP/IP connection count = 1)
2022-07-22 11:28:38.770 [13567] [172.30.104.10] F=<Test.User@internal-test-domain.com> R=<test@sophos123.com> Accepted from relay list
2022-07-22 11:28:38.775 [13567] 1oEoxa-0003Wp-Or <= Test.User@internal-test-domain.com H=(DE43940XX00001.reimers.zeuscloud.de) [172.30.104.10]:37190 I=[172.30.104.1]:25 P=esmtps L. X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no S=3414 M8S=0 RT=0.002s id=41bab319d48148699774b976b345b448@internal-test-domain.com T="test" from <Test.User@internal-test-domain.com> for test@sophos123.com
MSG   Jul 22 11:28:38 [ T_SMTPD-M]: new mail queued, add to inqueue '1oEoxa-0003Wp-Or-D'
2022-07-22 11:28:38.776 [13567] SMTP connection from (DE43940XX00001.reimers.zeuscloud.de) [172.30.104.10]:37190 I=[172.30.104.1]:25 closed by QUIT
MSG   Jul 22 11:28:39 [ T_SMTPD-W]: Mail assigned to 'MS-4990' for scanning '1oEoxa-0003Wp-Or-D'
MSG   Jul 22 11:28:39 [   MS-4990]: scan request 1oEoxa-0003Wp-Or-D
MSG   Jul 22 11:28:39 [   MS-4990]: S='Test.User@internal-test-domain.com' R='test@sophos123.com' Subject='test' Size='3414' Status='Mail has been queued for delivery.' src_ip='172.30.104.10' src_port=37190 user_id=0 user_grp_id=0 fw_id=0 src_zone_id=3
MSG   Jul 22 11:28:39 [1oEoxa-0003Wp-Or]: [0x8b6ff600] FROM: Test.User@internal-test-domain.com , TO: test@sophos123.com
MSG   Jul 22 11:28:39 [1oEoxa-0003Wp-Or]: move '8cFC4L-hj6O7d-wh' to forwarder queue
MSG   Jul 22 11:28:39 [1oEoxa-0003Wp-Or]: 8cFC4L-hj6O7d-wh <= Test.User@internal-test-domain.com R=1oEoxa-0003Wp-Or
MSG   Jul 22 11:28:39 [   MS-4990]: processing for 1oEoxa-0003Wp-Or completed
MSG   Jul 22 11:28:39 [ T_SMTPD-W]: [SMTPD] read returned 8 bytes
MSG   Jul 22 11:28:39 [ T_SMTPD-W]: [SMTPD] mail '1oEoxa-0003Wp-Or-D' processed sucessfully
MSG   Jul 22 11:28:39 [ T_SMTPD-W]: [SMTPD] smtpd read blocked
 5000 1 queue-runner process running
13586 queue-runner forking for qrun-delivery
13586 queue-runner forked for qrun-delivery: 13587
13587 postfork: qrun-delivery
13587 locking /sdisk/spool/output//db/retry.lockfile
13587 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
13587 Considering: test@sophos123.com
13587 unique = test@sophos123.com
13587 test@sophos123.com: queued for routing
13587 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
13587 routing test@sophos123.com
13587 --------> router_for_notifications router <--------
13587 local_part=test domain=sophos123.com
13587 checking "condition" "${if and{{bool_lax{0}}{bool_lax{${if eq{$acl_c1}{1}{1}{0}}}}}}"...
13587 router_for_notifications router skipped: condition failure
13587 --------> batv_redirect router <--------
13587 local_part=test domain=sophos123.com
13587 checking domains
13587 batv_redirect router skipped: domains mismatch
13587 --------> static_route_hostlist_for_email router <--------
13587 local_part=test domain=sophos123.com
13587 checking "condition" "${if match_address{$local_part@$domain}{+hostlist_route_emails}{1}{0}}"...
13587 static_route_hostlist_for_email router skipped: condition failure
13587 --------> static_route_hostlist router <--------
13587 local_part=test domain=sophos123.com
13587 checking domains
13587 static_route_hostlist router skipped: domains mismatch
13587 --------> static_route_bymx_for_email router <--------
13587 local_part=test domain=sophos123.com
13587 checking "condition" "${if match_address{$local_part@$domain}{+mx_route_emails}{1}{0}}"...
13587 static_route_bymx_for_email router skipped: condition failure
13587 --------> static_route_bymx router <--------
13587 local_part=test domain=sophos123.com
13587 checking domains
13587 static_route_bymx router skipped: domains mismatch
13587 --------> static_route_bydns_for_email router <--------
13587 local_part=test domain=sophos123.com
13587 checking "condition" "${if match_address{$local_part@$domain}{+dns_route_emails}{1}{0}}"...
13587 static_route_bydns_for_email router skipped: condition failure
13587 --------> static_route_bydns router <--------
13587 local_part=test domain=sophos123.com
13587 checking domains
13587 static_route_bydns router skipped: domains mismatch
13587 --------> smart_host_route router <--------
13587 local_part=test domain=sophos123.com
13587 checking domains
13587 checking "condition" "1"...
13587 calling smart_host_route router
13587 smart_host_route router called for test@sophos123.com
13587   domain = sophos123.com
13587 route_item = * "<, 10.0.0.10,"
13587 original list of hosts = '<, 10.0.0.10,' options = ''
13587 expanded list of hosts = '<, 10.0.0.10,' options = ''
13587 set transport smarthost_smtp
13587 finding IP address for 10.0.0.10
13587 calling host_find_byname
13587 queued for smarthost_smtp transport: local_part = test
13587 domain = sophos123.com
13587   errors_to=NULL
13587   domain_data=NULL local_part_data=NULL
13587 routed by smart_host_route router
13587   envelope to: test@sophos123.com
13587   transport: smarthost_smtp
13587   host 10.0.0.10 [10.0.0.10]
13587 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
13587 After routing:
13587   Local deliveries:
13587   Remote deliveries:
13587     test@sophos123.com
13587   Failed addresses:
13587   Deferred addresses:
13587 qrun-delivery forking for transport
13587 qrun-delivery forked for transport: 13588
13588 postfork: transport
13588 T: smarthost_smtp: for test@sophos123.com
13588 locking /sdisk/spool/output//db/retry.lockfile
13588 locking /sdisk/spool/output//db/wait-smarthost_smtp.lockfile
13587 LOG: MAIN
13587   ** test@sophos123.com F=<Test.User@internal-test-domain.com> P=<Test.User@internal-test-domain.com> R=smart_host_route T=smarthost_smtp: all hosts for 'sophos123.com' have been failing for a long time (and retry time not reached) DT=0.000s
2022-07-22 11:28:46.079 [13587] 8cFC4L-hj6O7d-wh ** test@sophos123.com F=<Test.User@internal-test-domain.com> P=<Test.User@internal-test-domain.com> R=smart_host_route T=smarthost_smtp: all hosts for 'sophos123.com' have been failing for a long time (and retry time not reached) DT=0.000s
13587 qrun-delivery forking for bounce-message
13587 qrun-delivery forked for bounce-message: 13589
13589 postfork: bounce-message
13589 Exim version 4.94.2 uid=0 gid=0 pid=13589 D=4080000
Support for: crypteq iconv() IPv6 OpenSSL DKIM DNSSEC Event OCSP PIPE_CONNECT PRDR SPF TCP_Fast_Open
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch dnsdb dsearch ldap ldapdn ldapm pgsql sqlite
Authenticators: cram_md5 plaintext
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile pipe smtp
Configure owner: 0:0
Size of off_t: 4
Compiler: GCC [7.3.0]
Library version: Glibc: Compile: 2.27
                        Runtime: 2.27
Library version: BDB: Compile: Berkeley DB 4.7.25: (May 15, 2008)
                      Runtime: Berkeley DB 4.7.25: (May 15, 2008)
Library version: OpenSSL: Compile: OpenSSL 1.0.2u-fips  20 Dec 2019
                          Runtime: OpenSSL 1.0.2u-fips  20 Dec 2019
                                 : built on: reproducible build, date unspecified
Library version: spf2: Compile: 1.2.10
                       Runtime: 1.2.10
Library version: PCRE: Compile: 8.43
                       Runtime: 8.43 2019-02-23
Library version: SQLite: Compile: 3.32.3
                         Runtime: 3.32.3
WHITELIST_D_MACROS: "INPUT"
TRUSTED_CONFIG_LIST unset
13589 configuration file is /static/proxy/smtp/exim.conf
13589 log selectors = fffff7bf ffffffff ffffffff
13589 LOG: MAIN
13589   cwd=/var/spool/output 10 args: /bin/exim -d=0x4080000 -MCd bounce-message -t -oem -oi -f <> -E8cFC4L-hj6O7d-wh
2022-07-22 11:28:46.086 [13589] cwd=/var/spool/output 10 args: /bin/exim -d=0x4080000 -MCd bounce-message -t -oem -oi -f <> -E8cFC4L-hj6O7d-wh
13589 trusted user
13589 admin user
13589 LOG: MAIN
13589   <= <> R=8cFC4L-hj6O7d-wh U=root P=local S=4682 M8S=0 RT=0.004s id*=E1oEoxi-0003XB-2t@Sophos T="Mail delivery failed: returning message to sender"
2022-07-22 11:28:46.096 [13589] 1oEoxi-0003XB-2t <= <> R=8cFC4L-hj6O7d-wh U=root P=local S=4682 M8S=0 RT=0.004s id*=E1oEoxi-0003XB-2t@Sophos T="Mail delivery failed: returning message to sender" from <> for Test.User@internal-test-domain.com
13589 >>>>>>>>>>>>>>>> Exim pid=13589 (bounce-message) terminating with rc=0 >>>>>>>>>>>>>>>>
13587 LOG: MAIN
13587   Completed QT=8s
2022-07-22 11:28:46.099 [13587] 8cFC4L-hj6O7d-wh Completed QT=8s
13587 >>>>>>>>>>>>>>>> Exim pid=13587 (qrun-delivery) terminating with rc=0 >>>>>>>>>>>>>>>>
 5000 1 queue-runner process running
13676 queue-runner forking for qrun-delivery
13676 queue-runner forked for qrun-delivery: 13677
13677 postfork: qrun-delivery
13677 locking /sdisk/spool/output//db/retry.lockfile
13677 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
13677 Considering: Test.User@internal-test-domain.com
13677 unique = Test.User@internal-test-domain.com
13677 Test.User@internal-test-domain.com: queued for routing
13677 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
13677 routing Test.User@internal-test-domain.com
13677 --------> router_for_notifications router <--------
13677 local_part=test.user domain=internal-test-domain.com
13677 checking "condition" "${if and{{bool_lax{0}}{bool_lax{${if eq{$acl_c1}{1}{1}{0}}}}}}"...
13677 router_for_notifications router skipped: condition failure
13677 --------> batv_redirect router <--------
13677 local_part=test.user domain=internal-test-domain.com
13677 checking domains
13677 calling batv_redirect router
13677 expanded: ''
13677 file is not a filter file
13677 parse_forward_list:
13677 batv_redirect router declined for Test.User@internal-test-domain.com
13677 --------> static_route_hostlist_for_email router <--------
13677 local_part=test.user domain=internal-test-domain.com
13677 checking "condition" "${if match_address{$local_part@$domain}{+hostlist_route_emails}{1}{0}}"...
13677 calling static_route_hostlist_for_email router
13677 static_route_hostlist_for_email router called for Test.User@internal-test-domain.com
13677   domain = internal-test-domain.com
13677 static_route_hostlist_for_email router declined for Test.User@internal-test-domain.com
13677 --------> static_route_hostlist router <--------
13677 local_part=test.user domain=internal-test-domain.com
13677 checking domains
13677 calling static_route_hostlist router
13677 static_route_hostlist router called for Test.User@internal-test-domain.com
13677   domain = internal-test-domain.com
13677 original list of hosts = '<;172.30.104.10;' options = ''
13677 expanded list of hosts = '<;172.30.104.10;' options = ''
13677 set transport static_smtp
13677 finding IP address for 172.30.104.10
13677 calling host_find_byname
13677 queued for static_smtp transport: local_part = test.user
13677 domain = internal-test-domain.com
13677   errors_to=NULL
13677   domain_data=internal-test-domain.com local_part_data=NULL
13677 routed by static_route_hostlist router
13677   envelope to: Test.User@internal-test-domain.com
13677   transport: static_smtp
13677   host 172.30.104.10 [172.30.104.10]
13677 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
13677 After routing:
13677   Local deliveries:
13677   Remote deliveries:
13677     Test.User@internal-test-domain.com
13677   Failed addresses:
13677   Deferred addresses:
13677 qrun-delivery forking for transport
13677 qrun-delivery forked for transport: 13678
13678 postfork: transport
13678 T: Static_smtp: for test.user@internal-test-domain.com
13678 locking /sdisk/spool/output//db/retry.lockfile
13678 I can not find c7, Not attempting firewall relate
13678 LOG: MAIN
13678   [172.30.104.10] SSL verify error: depth=0 error=unable to get local issuer certificate cert=/CN=DE43940XX00001
2022-07-22 11:29:01.085 [13678] 1oEoxi-0003XB-2t [172.30.104.10] SSL verify error: depth=0 error=unable to get local issuer certificate cert=/CN=DE43940XX00001
13678 LOG: MAIN
13678   [172.30.104.10] SSL verify error: depth=0 error=unable to verify the first certificate cert=/CN=DE43940XX00001
2022-07-22 11:29:01.085 [13678] 1oEoxi-0003XB-2t [172.30.104.10] SSL verify error: depth=0 error=unable to verify the first certificate cert=/CN=DE43940XX00001
13678 locking /sdisk/spool/output//db/wait-static_smtp.lockfile
13677 LOG: MAIN
13677   => test.user@internal-test-domain.com <Test.User@internal-test-domain.com> F=<> P=<> R=static_route_hostlist T=static_smtp S=4824 H=172.30.104.10 [172.30.104.10]:25 I=[172.30.104.1]:54352 X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no DN="/CN=DE43940XX00001" L C="250 2.6.0 <E1oEoxi-0003XB-2t@Sophos> [InternalId=11544872091660, Hostname=DE43940XX00001.reimers.zeuscloud.de] 6266 bytes in 0.102, 59,634 KB/sec Queued mail for delivery" QT=15s DT=0.135s
2022-07-22 11:29:01.296 [13677] 1oEoxi-0003XB-2t => test.user@internal-test-domain.com <Test.User@internal-test-domain.com> F=<> P=<> R=static_route_hostlist T=static_smtp S=4824 H=172.30.104.10 [172.30.104.10]:25 I=[172.30.104.1]:54352 X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no DN="/CN=DE43940XX00001" L C="250 2.6.0 <E1oEoxi-0003XB-2t@Sophos> [InternalId=11544872091660, Hostname=DE43940XX00001.reimers.zeuscloud.de] 6266 bytes in 0.102, 59,634 KB/sec Queued mail for delivery" QT=15s DT=0.135s
13677 LOG: MAIN
13677   Completed QT=15s
2022-07-22 11:29:01.296 [13677] 1oEoxi-0003XB-2t Completed QT=15s
13677 >>>>>>>>>>>>>>>> Exim pid=13677 (qrun-delivery) terminating with rc=0 >>>>>>>>>>>>>>>>

0 Sophos User2126 4 months ago in reply to Vivek Jagad

Sorry for the delay, Sophos don't like to put logging here........*SPAM*.
The KB article fixed the connection problem, but now there is a still a problem within the mail protection while try to send the mail to the upstream smarthost.

It try to post some log here again:

WHITELIST_D_MACROS: "INPUT"
TRUSTED_CONFIG_LIST unset
13589 configuration file is /static/proxy/smtp/exim.conf
13589 log selectors = fffff7bf ffffffff ffffffff
13589 LOG: MAIN
13589 cwd=/var/spool/output 10 args: /bin/exim -d=0x4080000 -MCd bounce-message -t -oem -oi -f <> -E8cFC4L-hj6O7d-wh
2022-07-22 11:28:46.086 [13589] cwd=/var/spool/output 10 args: /bin/exim -d=0x4080000 -MCd bounce-message -t -oem -oi -f <> -E8cFC4L-hj6O7d-wh
13589 trusted user
13589 admin user
13589 LOG: MAIN
13589 <= <> R=8cFC4L-hj6O7d-wh U=root P=local S=4682 M8S=0 RT=0.004s id*=E1oEoxi-0003XB-2t@Sophos T="Mail delivery failed: returning message to sender"
2022-07-22 11:28:46.096 [13589] 1oEoxi-0003XB-2t <= <> R=8cFC4L-hj6O7d-wh U=root P=local S=4682 M8S=0 RT=0.004s id*=E1oEoxi-0003XB-2t@Sophos T="Mail delivery failed: returning message to sender" from <> for Test.User@internal-test-domain.com
13589 >>>>>>>>>>>>>>>> Exim pid=13589 (bounce-message) terminating with rc=0 >>>>>>>>>>>>>>>>
13587 LOG: MAIN
13587 Completed QT=8s
Cancel
Vote Up 0 Vote Down

Cancel
0 Vivek Jagad 4 months ago in reply to Sophos User2126

Sophos User2126 try dragging and dropping the log file here !!

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Technical Account Manager 3 | Cyber Security Evolved

Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel

0 Sophos User2126 4 months ago in reply to Vivek Jagad

Fullscreen logfile.txt Download

2022-07-22 11:28:38.735 [5001] SMTP connection from [172.30.104.10]:37190 I=[172.30.104.1]:25 (TCP/IP connection count = 1)
2022-07-22 11:28:38.770 [13567] [172.30.104.10] F=<Test.User@internal-test-domain.com> R=<test@sophos123.com> Accepted from relay list
2022-07-22 11:28:38.775 [13567] 1oEoxa-0003Wp-Or <= Test.User@internal-test-domain.com H=(DE43940XX00001.reimers.zeuscloud.de) [172.30.104.10]:37190 I=[172.30.104.1]:25 P=esmtps L. X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no S=3414 M8S=0 RT=0.002s id=41bab319d48148699774b976b345b448@internal-test-domain.com T="test" from <Test.User@internal-test-domain.com> for test@sophos123.com
MSG   Jul 22 11:28:38 [ T_SMTPD-M]: new mail queued, add to inqueue '1oEoxa-0003Wp-Or-D'
2022-07-22 11:28:38.776 [13567] SMTP connection from (DE43940XX00001.reimers.zeuscloud.de) [172.30.104.10]:37190 I=[172.30.104.1]:25 closed by QUIT
MSG   Jul 22 11:28:39 [ T_SMTPD-W]: Mail assigned to 'MS-4990' for scanning '1oEoxa-0003Wp-Or-D'
MSG   Jul 22 11:28:39 [   MS-4990]: scan request 1oEoxa-0003Wp-Or-D
MSG   Jul 22 11:28:39 [   MS-4990]: S='Test.User@internal-test-domain.com' R='test@sophos123.com' Subject='test' Size='3414' Status='Mail has been queued for delivery.' src_ip='172.30.104.10' src_port=37190 user_id=0 user_grp_id=0 fw_id=0 src_zone_id=3
MSG   Jul 22 11:28:39 [1oEoxa-0003Wp-Or]: [0x8b6ff600] FROM: Test.User@internal-test-domain.com , TO: test@sophos123.com
MSG   Jul 22 11:28:39 [1oEoxa-0003Wp-Or]: move '8cFC4L-hj6O7d-wh' to forwarder queue
MSG   Jul 22 11:28:39 [1oEoxa-0003Wp-Or]: 8cFC4L-hj6O7d-wh <= Test.User@internal-test-domain.com R=1oEoxa-0003Wp-Or
MSG   Jul 22 11:28:39 [   MS-4990]: processing for 1oEoxa-0003Wp-Or completed
MSG   Jul 22 11:28:39 [ T_SMTPD-W]: [SMTPD] read returned 8 bytes
MSG   Jul 22 11:28:39 [ T_SMTPD-W]: [SMTPD] mail '1oEoxa-0003Wp-Or-D' processed sucessfully
MSG   Jul 22 11:28:39 [ T_SMTPD-W]: [SMTPD] smtpd read blocked
 5000 1 queue-runner process running
13586 queue-runner forking for qrun-delivery
13586 queue-runner forked for qrun-delivery: 13587
13587 postfork: qrun-delivery
13587 locking /sdisk/spool/output//db/retry.lockfile
13587 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
13587 Considering: test@sophos123.com
13587 unique = test@sophos123.com
13587 test@sophos123.com: queued for routing
13587 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
13587 routing test@sophos123.com
13587 --------> router_for_notifications router <--------
13587 local_part=test domain=sophos123.com
13587 checking "condition" "${if and{{bool_lax{0}}{bool_lax{${if eq{$acl_c1}{1}{1}{0}}}}}}"...
13587 router_for_notifications router skipped: condition failure
13587 --------> batv_redirect router <--------
13587 local_part=test domain=sophos123.com
13587 checking domains
13587 batv_redirect router skipped: domains mismatch
13587 --------> static_route_hostlist_for_email router <--------
13587 local_part=test domain=sophos123.com
13587 checking "condition" "${if match_address{$local_part@$domain}{+hostlist_route_emails}{1}{0}}"...
13587 static_route_hostlist_for_email router skipped: condition failure
13587 --------> static_route_hostlist router <--------
13587 local_part=test domain=sophos123.com
13587 checking domains
13587 static_route_hostlist router skipped: domains mismatch
13587 --------> static_route_bymx_for_email router <--------
13587 local_part=test domain=sophos123.com
13587 checking "condition" "${if match_address{$local_part@$domain}{+mx_route_emails}{1}{0}}"...
13587 static_route_bymx_for_email router skipped: condition failure
13587 --------> static_route_bymx router <--------
13587 local_part=test domain=sophos123.com
13587 checking domains
13587 static_route_bymx router skipped: domains mismatch
13587 --------> static_route_bydns_for_email router <--------
13587 local_part=test domain=sophos123.com
13587 checking "condition" "${if match_address{$local_part@$domain}{+dns_route_emails}{1}{0}}"...
13587 static_route_bydns_for_email router skipped: condition failure
13587 --------> static_route_bydns router <--------
13587 local_part=test domain=sophos123.com
13587 checking domains
13587 static_route_bydns router skipped: domains mismatch
13587 --------> smart_host_route router <--------
13587 local_part=test domain=sophos123.com
13587 checking domains
13587 checking "condition" "1"...
13587 calling smart_host_route router
13587 smart_host_route router called for test@sophos123.com
13587   domain = sophos123.com
13587 route_item = * "<, 10.0.0.10,"
13587 original list of hosts = '<, 10.0.0.10,' options = ''
13587 expanded list of hosts = '<, 10.0.0.10,' options = ''
13587 set transport smarthost_smtp
13587 finding IP address for 10.0.0.10
13587 calling host_find_byname
13587 queued for smarthost_smtp transport: local_part = test
13587 domain = sophos123.com
13587   errors_to=NULL
13587   domain_data=NULL local_part_data=NULL
13587 routed by smart_host_route router
13587   envelope to: test@sophos123.com
13587   transport: smarthost_smtp
13587   host 10.0.0.10 [10.0.0.10]
13587 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
13587 After routing:
13587   Local deliveries:
13587   Remote deliveries:
13587     test@sophos123.com
13587   Failed addresses:
13587   Deferred addresses:
13587 qrun-delivery forking for transport
13587 qrun-delivery forked for transport: 13588
13588 postfork: transport
13588 T: smarthost_smtp: for test@sophos123.com
13588 locking /sdisk/spool/output//db/retry.lockfile
13588 locking /sdisk/spool/output//db/wait-smarthost_smtp.lockfile
13587 LOG: MAIN
13587   ** test@sophos123.com F=<Test.User@internal-test-domain.com> P=<Test.User@internal-test-domain.com> R=smart_host_route T=smarthost_smtp: all hosts for 'sophos123.com' have been failing for a long time (and retry time not reached) DT=0.000s
2022-07-22 11:28:46.079 [13587] 8cFC4L-hj6O7d-wh ** test@sophos123.com F=<Test.User@internal-test-domain.com> P=<Test.User@internal-test-domain.com> R=smart_host_route T=smarthost_smtp: all hosts for 'sophos123.com' have been failing for a long time (and retry time not reached) DT=0.000s
13587 qrun-delivery forking for bounce-message
13587 qrun-delivery forked for bounce-message: 13589
13589 postfork: bounce-message
13589 Exim version 4.94.2 uid=0 gid=0 pid=13589 D=4080000
Support for: crypteq iconv() IPv6 OpenSSL DKIM DNSSEC Event OCSP PIPE_CONNECT PRDR SPF TCP_Fast_Open
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch dnsdb dsearch ldap ldapdn ldapm pgsql sqlite
Authenticators: cram_md5 plaintext
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile pipe smtp
Configure owner: 0:0
Size of off_t: 4
Compiler: GCC [7.3.0]
Library version: Glibc: Compile: 2.27
                        Runtime: 2.27
Library version: BDB: Compile: Berkeley DB 4.7.25: (May 15, 2008)
                      Runtime: Berkeley DB 4.7.25: (May 15, 2008)
Library version: OpenSSL: Compile: OpenSSL 1.0.2u-fips  20 Dec 2019
                          Runtime: OpenSSL 1.0.2u-fips  20 Dec 2019
                                 : built on: reproducible build, date unspecified
Library version: spf2: Compile: 1.2.10
                       Runtime: 1.2.10
Library version: PCRE: Compile: 8.43
                       Runtime: 8.43 2019-02-23
Library version: SQLite: Compile: 3.32.3
                         Runtime: 3.32.3
WHITELIST_D_MACROS: "INPUT"
TRUSTED_CONFIG_LIST unset
13589 configuration file is /static/proxy/smtp/exim.conf
13589 log selectors = fffff7bf ffffffff ffffffff
13589 LOG: MAIN
13589   cwd=/var/spool/output 10 args: /bin/exim -d=0x4080000 -MCd bounce-message -t -oem -oi -f <> -E8cFC4L-hj6O7d-wh
2022-07-22 11:28:46.086 [13589] cwd=/var/spool/output 10 args: /bin/exim -d=0x4080000 -MCd bounce-message -t -oem -oi -f <> -E8cFC4L-hj6O7d-wh
13589 trusted user
13589 admin user
13589 LOG: MAIN
13589   <= <> R=8cFC4L-hj6O7d-wh U=root P=local S=4682 M8S=0 RT=0.004s id*=E1oEoxi-0003XB-2t@Sophos T="Mail delivery failed: returning message to sender"
2022-07-22 11:28:46.096 [13589] 1oEoxi-0003XB-2t <= <> R=8cFC4L-hj6O7d-wh U=root P=local S=4682 M8S=0 RT=0.004s id*=E1oEoxi-0003XB-2t@Sophos T="Mail delivery failed: returning message to sender" from <> for Test.User@internal-test-domain.com
13589 >>>>>>>>>>>>>>>> Exim pid=13589 (bounce-message) terminating with rc=0 >>>>>>>>>>>>>>>>
13587 LOG: MAIN
13587   Completed QT=8s
2022-07-22 11:28:46.099 [13587] 8cFC4L-hj6O7d-wh Completed QT=8s
13587 >>>>>>>>>>>>>>>> Exim pid=13587 (qrun-delivery) terminating with rc=0 >>>>>>>>>>>>>>>>
 5000 1 queue-runner process running
13676 queue-runner forking for qrun-delivery
13676 queue-runner forked for qrun-delivery: 13677
13677 postfork: qrun-delivery
13677 locking /sdisk/spool/output//db/retry.lockfile
13677 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
13677 Considering: Test.User@internal-test-domain.com
13677 unique = Test.User@internal-test-domain.com
13677 Test.User@internal-test-domain.com: queued for routing
13677 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
13677 routing Test.User@internal-test-domain.com
13677 --------> router_for_notifications router <--------
13677 local_part=test.user domain=internal-test-domain.com
13677 checking "condition" "${if and{{bool_lax{0}}{bool_lax{${if eq{$acl_c1}{1}{1}{0}}}}}}"...
13677 router_for_notifications router skipped: condition failure
13677 --------> batv_redirect router <--------
13677 local_part=test.user domain=internal-test-domain.com
13677 checking domains
13677 calling batv_redirect router
13677 expanded: ''
13677 file is not a filter file
13677 parse_forward_list:
13677 batv_redirect router declined for Test.User@internal-test-domain.com
13677 --------> static_route_hostlist_for_email router <--------
13677 local_part=test.user domain=internal-test-domain.com
13677 checking "condition" "${if match_address{$local_part@$domain}{+hostlist_route_emails}{1}{0}}"...
13677 calling static_route_hostlist_for_email router
13677 static_route_hostlist_for_email router called for Test.User@internal-test-domain.com
13677   domain = internal-test-domain.com
13677 static_route_hostlist_for_email router declined for Test.User@internal-test-domain.com
13677 --------> static_route_hostlist router <--------
13677 local_part=test.user domain=internal-test-domain.com
13677 checking domains
13677 calling static_route_hostlist router
13677 static_route_hostlist router called for Test.User@internal-test-domain.com
13677   domain = internal-test-domain.com
13677 original list of hosts = '<;172.30.104.10;' options = ''
13677 expanded list of hosts = '<;172.30.104.10;' options = ''
13677 set transport static_smtp
13677 finding IP address for 172.30.104.10
13677 calling host_find_byname
13677 queued for static_smtp transport: local_part = test.user
13677 domain = internal-test-domain.com
13677   errors_to=NULL
13677   domain_data=internal-test-domain.com local_part_data=NULL
13677 routed by static_route_hostlist router
13677   envelope to: Test.User@internal-test-domain.com
13677   transport: static_smtp
13677   host 172.30.104.10 [172.30.104.10]
13677 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
13677 After routing:
13677   Local deliveries:
13677   Remote deliveries:
13677     Test.User@internal-test-domain.com
13677   Failed addresses:
13677   Deferred addresses:
13677 qrun-delivery forking for transport
13677 qrun-delivery forked for transport: 13678
13678 postfork: transport
13678 T: Static_smtp: for test.user@internal-test-domain.com
13678 locking /sdisk/spool/output//db/retry.lockfile
13678 I can not find c7, Not attempting firewall relate
13678 LOG: MAIN
13678   [172.30.104.10] SSL verify error: depth=0 error=unable to get local issuer certificate cert=/CN=DE43940XX00001
2022-07-22 11:29:01.085 [13678] 1oEoxi-0003XB-2t [172.30.104.10] SSL verify error: depth=0 error=unable to get local issuer certificate cert=/CN=DE43940XX00001
13678 LOG: MAIN
13678   [172.30.104.10] SSL verify error: depth=0 error=unable to verify the first certificate cert=/CN=DE43940XX00001
2022-07-22 11:29:01.085 [13678] 1oEoxi-0003XB-2t [172.30.104.10] SSL verify error: depth=0 error=unable to verify the first certificate cert=/CN=DE43940XX00001
13678 locking /sdisk/spool/output//db/wait-static_smtp.lockfile
13677 LOG: MAIN
13677   => test.user@internal-test-domain.com <Test.User@internal-test-domain.com> F=<> P=<> R=static_route_hostlist T=static_smtp S=4824 H=172.30.104.10 [172.30.104.10]:25 I=[172.30.104.1]:54352 X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no DN="/CN=DE43940XX00001" L C="250 2.6.0 <E1oEoxi-0003XB-2t@Sophos> [InternalId=11544872091660, Hostname=DE43940XX00001.reimers.zeuscloud.de] 6266 bytes in 0.102, 59,634 KB/sec Queued mail for delivery" QT=15s DT=0.135s
2022-07-22 11:29:01.296 [13677] 1oEoxi-0003XB-2t => test.user@internal-test-domain.com <Test.User@internal-test-domain.com> F=<> P=<> R=static_route_hostlist T=static_smtp S=4824 H=172.30.104.10 [172.30.104.10]:25 I=[172.30.104.1]:54352 X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no DN="/CN=DE43940XX00001" L C="250 2.6.0 <E1oEoxi-0003XB-2t@Sophos> [InternalId=11544872091660, Hostname=DE43940XX00001.reimers.zeuscloud.de] 6266 bytes in 0.102, 59,634 KB/sec Queued mail for delivery" QT=15s DT=0.135s
13677 LOG: MAIN
13677   Completed QT=15s
2022-07-22 11:29:01.296 [13677] 1oEoxi-0003XB-2t Completed QT=15s
13677 >>>>>>>>>>>>>>>> Exim pid=13677 (qrun-delivery) terminating with rc=0 >>>>>>>>>>>>>>>>

+1 Vivek Jagad 4 months ago in reply to Sophos User2126

Hello Sophos User2126,

Thank you for the update, can you share the screenshot of the following path:
> Email > General settings > SMTP TLS configurations
> Certificates > Certificate authorities > Default

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Technical Account Manager 3 | Cyber Security Evolved

Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up +1 Vote Down

Cancel
0 Sophos User2126 4 months ago in reply to Vivek Jagad

You're great, thank you so much :).
Here are the screenshots:
Cancel
Vote Up 0 Vote Down

Cancel
+1 Vivek Jagad 4 months ago in reply to Sophos User2126

You're welcome Sophos User2126, If it has helped you can click on verify button. And it seems the default cert is not filled properly, so would recommend fill the cert and save it !!

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Technical Account Manager 3 | Cyber Security Evolved

Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up +1 Vote Down

Cancel
0 Sophos User2126 4 months ago in reply to Vivek Jagad

Great, that's it. together with the NAT everything works as it should.

Thanks again for your patience and help
Cancel
Vote Up +1 Vote Down

Cancel
0 Vivek Jagad 4 months ago in reply to Sophos User2126

You're welcome Sophos User2126 Cheers !!

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Technical Account Manager 3 | Cyber Security Evolved

Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Vivek Jagad 4 months ago in reply to Sophos User2126

You're welcome Sophos User2126 Cheers !!

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Technical Account Manager 3 | Cyber Security Evolved

Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data