Sophos Smarthost - Outgoing Interface + NAT

Hello,

an XG uses a smarthost in the upstream to send and receive mails towards the internet.
My problem is that the XG sends outgoing mails already on the right interface, but here is a transfer network towards the smart host, which is private and not public, the upstream smart host knows no route to the IP that the Sophos uses.
I have already tried everything with NAT, but nothing seems to work here.

Help :)



Added TAGs
[edited by: emmosophos at 6:43 PM (GMT -7) on 18 Jul 2022]

Top Replies

Parents
  • Hello ,

    Thank you for reaching to community, So if I understood it correct you have an on premise smarthost which you want to utilize under email > general settings > Smarthost settings. If that is a case you can create a DNAT for that on premise server: https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/RulesAndPolicies/NATRules/RulesPoliciesCreateDNATAndFirewallRulesForInternalServers/index.html

    Thanks & Regards,

    Vivek Jagad | Technical Account Manager 3 | Cyber Security Evolved


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • Hi, 
    this also works to run Sophos itself (the MTA service) over the NAT?

  • Sure tcpdump, packetcapture can help understand !! 

    Thanks & Regards,

    Vivek Jagad | Technical Account Manager 3 | Cyber Security Evolved


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • So, the connection is okay now, but it seems there is another issue with mail-protection itself, according due to the mail delivery to the upstream smarthost.

    In the General config tab I disabled nearly anything that would scan or block something. In the log file I just can't find the error why the mail is still bounced now.

    Trying to send via Outlook from  Test.User@internal-test-domain.com TO test@sophos123.com (does not exist)

    2022-07-22 11:28:38.735 [5001] SMTP connection from [172.30.104.10]:37190 I=[172.30.104.1]:25 (TCP/IP connection count = 1)
    2022-07-22 11:28:38.770 [13567] [172.30.104.10] F=<Test.User@internal-test-domain.com> R=<test@sophos123.com> Accepted from relay list
    2022-07-22 11:28:38.775 [13567] 1oEoxa-0003Wp-Or <= Test.User@internal-test-domain.com H=(DE43940XX00001.reimers.zeuscloud.de) [172.30.104.10]:37190 I=[172.30.104.1]:25 P=esmtps L. X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no S=3414 M8S=0 RT=0.002s id=41bab319d48148699774b976b345b448@internal-test-domain.com T="test" from <Test.User@internal-test-domain.com> for test@sophos123.com
    MSG   Jul 22 11:28:38 [ T_SMTPD-M]: new mail queued, add to inqueue '1oEoxa-0003Wp-Or-D'
    2022-07-22 11:28:38.776 [13567] SMTP connection from (DE43940XX00001.reimers.zeuscloud.de) [172.30.104.10]:37190 I=[172.30.104.1]:25 closed by QUIT
    MSG   Jul 22 11:28:39 [ T_SMTPD-W]: Mail assigned to 'MS-4990' for scanning '1oEoxa-0003Wp-Or-D'
    MSG   Jul 22 11:28:39 [   MS-4990]: scan request 1oEoxa-0003Wp-Or-D
    MSG   Jul 22 11:28:39 [   MS-4990]: S='Test.User@internal-test-domain.com' R='test@sophos123.com' Subject='test' Size='3414' Status='Mail has been queued for delivery.' src_ip='172.30.104.10' src_port=37190 user_id=0 user_grp_id=0 fw_id=0 src_zone_id=3
    MSG   Jul 22 11:28:39 [1oEoxa-0003Wp-Or]: [0x8b6ff600] FROM: Test.User@internal-test-domain.com , TO: test@sophos123.com
    MSG   Jul 22 11:28:39 [1oEoxa-0003Wp-Or]: move '8cFC4L-hj6O7d-wh' to forwarder queue
    MSG   Jul 22 11:28:39 [1oEoxa-0003Wp-Or]: 8cFC4L-hj6O7d-wh <= Test.User@internal-test-domain.com R=1oEoxa-0003Wp-Or
    MSG   Jul 22 11:28:39 [   MS-4990]: processing for 1oEoxa-0003Wp-Or completed
    MSG   Jul 22 11:28:39 [ T_SMTPD-W]: [SMTPD] read returned 8 bytes
    MSG   Jul 22 11:28:39 [ T_SMTPD-W]: [SMTPD] mail '1oEoxa-0003Wp-Or-D' processed sucessfully
    MSG   Jul 22 11:28:39 [ T_SMTPD-W]: [SMTPD] smtpd read blocked
     5000 1 queue-runner process running
    13586 queue-runner forking for qrun-delivery
    13586 queue-runner forked for qrun-delivery: 13587
    13587 postfork: qrun-delivery
    13587 locking /sdisk/spool/output//db/retry.lockfile
    13587 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
    13587 Considering: test@sophos123.com
    13587 unique = test@sophos123.com
    13587 test@sophos123.com: queued for routing
    13587 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
    13587 routing test@sophos123.com
    13587 --------> router_for_notifications router <--------
    13587 local_part=test domain=sophos123.com
    13587 checking "condition" "${if and{{bool_lax{0}}{bool_lax{${if eq{$acl_c1}{1}{1}{0}}}}}}"...
    13587 router_for_notifications router skipped: condition failure
    13587 --------> batv_redirect router <--------
    13587 local_part=test domain=sophos123.com
    13587 checking domains
    13587 batv_redirect router skipped: domains mismatch
    13587 --------> static_route_hostlist_for_email router <--------
    13587 local_part=test domain=sophos123.com
    13587 checking "condition" "${if match_address{$local_part@$domain}{+hostlist_route_emails}{1}{0}}"...
    13587 static_route_hostlist_for_email router skipped: condition failure
    13587 --------> static_route_hostlist router <--------
    13587 local_part=test domain=sophos123.com
    13587 checking domains
    13587 static_route_hostlist router skipped: domains mismatch
    13587 --------> static_route_bymx_for_email router <--------
    13587 local_part=test domain=sophos123.com
    13587 checking "condition" "${if match_address{$local_part@$domain}{+mx_route_emails}{1}{0}}"...
    13587 static_route_bymx_for_email router skipped: condition failure
    13587 --------> static_route_bymx router <--------
    13587 local_part=test domain=sophos123.com
    13587 checking domains
    13587 static_route_bymx router skipped: domains mismatch
    13587 --------> static_route_bydns_for_email router <--------
    13587 local_part=test domain=sophos123.com
    13587 checking "condition" "${if match_address{$local_part@$domain}{+dns_route_emails}{1}{0}}"...
    13587 static_route_bydns_for_email router skipped: condition failure
    13587 --------> static_route_bydns router <--------
    13587 local_part=test domain=sophos123.com
    13587 checking domains
    13587 static_route_bydns router skipped: domains mismatch
    13587 --------> smart_host_route router <--------
    13587 local_part=test domain=sophos123.com
    13587 checking domains
    13587 checking "condition" "1"...
    13587 calling smart_host_route router
    13587 smart_host_route router called for test@sophos123.com
    13587   domain = sophos123.com
    13587 route_item = * "<, 10.0.0.10,"
    13587 original list of hosts = '<, 10.0.0.10,' options = ''
    13587 expanded list of hosts = '<, 10.0.0.10,' options = ''
    13587 set transport smarthost_smtp
    13587 finding IP address for 10.0.0.10
    13587 calling host_find_byname
    13587 queued for smarthost_smtp transport: local_part = test
    13587 domain = sophos123.com
    13587   errors_to=NULL
    13587   domain_data=NULL local_part_data=NULL
    13587 routed by smart_host_route router
    13587   envelope to: test@sophos123.com
    13587   transport: smarthost_smtp
    13587   host 10.0.0.10 [10.0.0.10]
    13587 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
    13587 After routing:
    13587   Local deliveries:
    13587   Remote deliveries:
    13587     test@sophos123.com
    13587   Failed addresses:
    13587   Deferred addresses:
    13587 qrun-delivery forking for transport
    13587 qrun-delivery forked for transport: 13588
    13588 postfork: transport
    13588 T: smarthost_smtp: for test@sophos123.com
    13588 locking /sdisk/spool/output//db/retry.lockfile
    13588 locking /sdisk/spool/output//db/wait-smarthost_smtp.lockfile
    13587 LOG: MAIN
    13587   ** test@sophos123.com F=<Test.User@internal-test-domain.com> P=<Test.User@internal-test-domain.com> R=smart_host_route T=smarthost_smtp: all hosts for 'sophos123.com' have been failing for a long time (and retry time not reached) DT=0.000s
    2022-07-22 11:28:46.079 [13587] 8cFC4L-hj6O7d-wh ** test@sophos123.com F=<Test.User@internal-test-domain.com> P=<Test.User@internal-test-domain.com> R=smart_host_route T=smarthost_smtp: all hosts for 'sophos123.com' have been failing for a long time (and retry time not reached) DT=0.000s
    13587 qrun-delivery forking for bounce-message
    13587 qrun-delivery forked for bounce-message: 13589
    13589 postfork: bounce-message
    13589 Exim version 4.94.2 uid=0 gid=0 pid=13589 D=4080000
    Support for: crypteq iconv() IPv6 OpenSSL DKIM DNSSEC Event OCSP PIPE_CONNECT PRDR SPF TCP_Fast_Open
    Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch dnsdb dsearch ldap ldapdn ldapm pgsql sqlite
    Authenticators: cram_md5 plaintext
    Routers: accept dnslookup ipliteral manualroute queryprogram redirect
    Transports: appendfile pipe smtp
    Configure owner: 0:0
    Size of off_t: 4
    Compiler: GCC [7.3.0]
    Library version: Glibc: Compile: 2.27
                            Runtime: 2.27
    Library version: BDB: Compile: Berkeley DB 4.7.25: (May 15, 2008)
                          Runtime: Berkeley DB 4.7.25: (May 15, 2008)
    Library version: OpenSSL: Compile: OpenSSL 1.0.2u-fips  20 Dec 2019
                              Runtime: OpenSSL 1.0.2u-fips  20 Dec 2019
                                     : built on: reproducible build, date unspecified
    Library version: spf2: Compile: 1.2.10
                           Runtime: 1.2.10
    Library version: PCRE: Compile: 8.43
                           Runtime: 8.43 2019-02-23
    Library version: SQLite: Compile: 3.32.3
                             Runtime: 3.32.3
    WHITELIST_D_MACROS: "INPUT"
    TRUSTED_CONFIG_LIST unset
    13589 configuration file is /static/proxy/smtp/exim.conf
    13589 log selectors = fffff7bf ffffffff ffffffff
    13589 LOG: MAIN
    13589   cwd=/var/spool/output 10 args: /bin/exim -d=0x4080000 -MCd bounce-message -t -oem -oi -f <> -E8cFC4L-hj6O7d-wh
    2022-07-22 11:28:46.086 [13589] cwd=/var/spool/output 10 args: /bin/exim -d=0x4080000 -MCd bounce-message -t -oem -oi -f <> -E8cFC4L-hj6O7d-wh
    13589 trusted user
    13589 admin user
    13589 LOG: MAIN
    13589   <= <> R=8cFC4L-hj6O7d-wh U=root P=local S=4682 M8S=0 RT=0.004s id*=E1oEoxi-0003XB-2t@Sophos T="Mail delivery failed: returning message to sender"
    2022-07-22 11:28:46.096 [13589] 1oEoxi-0003XB-2t <= <> R=8cFC4L-hj6O7d-wh U=root P=local S=4682 M8S=0 RT=0.004s id*=E1oEoxi-0003XB-2t@Sophos T="Mail delivery failed: returning message to sender" from <> for Test.User@internal-test-domain.com
    13589 >>>>>>>>>>>>>>>> Exim pid=13589 (bounce-message) terminating with rc=0 >>>>>>>>>>>>>>>>
    13587 LOG: MAIN
    13587   Completed QT=8s
    2022-07-22 11:28:46.099 [13587] 8cFC4L-hj6O7d-wh Completed QT=8s
    13587 >>>>>>>>>>>>>>>> Exim pid=13587 (qrun-delivery) terminating with rc=0 >>>>>>>>>>>>>>>>
     5000 1 queue-runner process running
    13676 queue-runner forking for qrun-delivery
    13676 queue-runner forked for qrun-delivery: 13677
    13677 postfork: qrun-delivery
    13677 locking /sdisk/spool/output//db/retry.lockfile
    13677 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
    13677 Considering: Test.User@internal-test-domain.com
    13677 unique = Test.User@internal-test-domain.com
    13677 Test.User@internal-test-domain.com: queued for routing
    13677 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
    13677 routing Test.User@internal-test-domain.com
    13677 --------> router_for_notifications router <--------
    13677 local_part=test.user domain=internal-test-domain.com
    13677 checking "condition" "${if and{{bool_lax{0}}{bool_lax{${if eq{$acl_c1}{1}{1}{0}}}}}}"...
    13677 router_for_notifications router skipped: condition failure
    13677 --------> batv_redirect router <--------
    13677 local_part=test.user domain=internal-test-domain.com
    13677 checking domains
    13677 calling batv_redirect router
    13677 expanded: ''
    13677 file is not a filter file
    13677 parse_forward_list:
    13677 batv_redirect router declined for Test.User@internal-test-domain.com
    13677 --------> static_route_hostlist_for_email router <--------
    13677 local_part=test.user domain=internal-test-domain.com
    13677 checking "condition" "${if match_address{$local_part@$domain}{+hostlist_route_emails}{1}{0}}"...
    13677 calling static_route_hostlist_for_email router
    13677 static_route_hostlist_for_email router called for Test.User@internal-test-domain.com
    13677   domain = internal-test-domain.com
    13677 static_route_hostlist_for_email router declined for Test.User@internal-test-domain.com
    13677 --------> static_route_hostlist router <--------
    13677 local_part=test.user domain=internal-test-domain.com
    13677 checking domains
    13677 calling static_route_hostlist router
    13677 static_route_hostlist router called for Test.User@internal-test-domain.com
    13677   domain = internal-test-domain.com
    13677 original list of hosts = '<;172.30.104.10;' options = ''
    13677 expanded list of hosts = '<;172.30.104.10;' options = ''
    13677 set transport static_smtp
    13677 finding IP address for 172.30.104.10
    13677 calling host_find_byname
    13677 queued for static_smtp transport: local_part = test.user
    13677 domain = internal-test-domain.com
    13677   errors_to=NULL
    13677   domain_data=internal-test-domain.com local_part_data=NULL
    13677 routed by static_route_hostlist router
    13677   envelope to: Test.User@internal-test-domain.com
    13677   transport: static_smtp
    13677   host 172.30.104.10 [172.30.104.10]
    13677 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
    13677 After routing:
    13677   Local deliveries:
    13677   Remote deliveries:
    13677     Test.User@internal-test-domain.com
    13677   Failed addresses:
    13677   Deferred addresses:
    13677 qrun-delivery forking for transport
    13677 qrun-delivery forked for transport: 13678
    13678 postfork: transport
    13678 T: Static_smtp: for test.user@internal-test-domain.com
    13678 locking /sdisk/spool/output//db/retry.lockfile
    13678 I can not find c7, Not attempting firewall relate
    13678 LOG: MAIN
    13678   [172.30.104.10] SSL verify error: depth=0 error=unable to get local issuer certificate cert=/CN=DE43940XX00001
    2022-07-22 11:29:01.085 [13678] 1oEoxi-0003XB-2t [172.30.104.10] SSL verify error: depth=0 error=unable to get local issuer certificate cert=/CN=DE43940XX00001
    13678 LOG: MAIN
    13678   [172.30.104.10] SSL verify error: depth=0 error=unable to verify the first certificate cert=/CN=DE43940XX00001
    2022-07-22 11:29:01.085 [13678] 1oEoxi-0003XB-2t [172.30.104.10] SSL verify error: depth=0 error=unable to verify the first certificate cert=/CN=DE43940XX00001
    13678 locking /sdisk/spool/output//db/wait-static_smtp.lockfile
    13677 LOG: MAIN
    13677   => test.user@internal-test-domain.com <Test.User@internal-test-domain.com> F=<> P=<> R=static_route_hostlist T=static_smtp S=4824 H=172.30.104.10 [172.30.104.10]:25 I=[172.30.104.1]:54352 X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no DN="/CN=DE43940XX00001" L C="250 2.6.0 <E1oEoxi-0003XB-2t@Sophos> [InternalId=11544872091660, Hostname=DE43940XX00001.reimers.zeuscloud.de] 6266 bytes in 0.102, 59,634 KB/sec Queued mail for delivery" QT=15s DT=0.135s
    2022-07-22 11:29:01.296 [13677] 1oEoxi-0003XB-2t => test.user@internal-test-domain.com <Test.User@internal-test-domain.com> F=<> P=<> R=static_route_hostlist T=static_smtp S=4824 H=172.30.104.10 [172.30.104.10]:25 I=[172.30.104.1]:54352 X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no DN="/CN=DE43940XX00001" L C="250 2.6.0 <E1oEoxi-0003XB-2t@Sophos> [InternalId=11544872091660, Hostname=DE43940XX00001.reimers.zeuscloud.de] 6266 bytes in 0.102, 59,634 KB/sec Queued mail for delivery" QT=15s DT=0.135s
    13677 LOG: MAIN
    13677   Completed QT=15s
    2022-07-22 11:29:01.296 [13677] 1oEoxi-0003XB-2t Completed QT=15s
    13677 >>>>>>>>>>>>>>>> Exim pid=13677 (qrun-delivery) terminating with rc=0 >>>>>>>>>>>>>>>>
    

  • Sorry for the delay, Sophos don't like to put logging here........*SPAM*.
    The KB article fixed the connection problem, but now there is a still a problem within the mail protection while try to send the mail to the upstream smarthost.

    It try to post some log here again:

    WHITELIST_D_MACROS: "INPUT"
    TRUSTED_CONFIG_LIST unset
    13589 configuration file is /static/proxy/smtp/exim.conf
    13589 log selectors = fffff7bf ffffffff ffffffff
    13589 LOG: MAIN
    13589 cwd=/var/spool/output 10 args: /bin/exim -d=0x4080000 -MCd bounce-message -t -oem -oi -f <> -E8cFC4L-hj6O7d-wh
    2022-07-22 11:28:46.086 [13589] cwd=/var/spool/output 10 args: /bin/exim -d=0x4080000 -MCd bounce-message -t -oem -oi -f <> -E8cFC4L-hj6O7d-wh
    13589 trusted user
    13589 admin user
    13589 LOG: MAIN
    13589 <= <> R=8cFC4L-hj6O7d-wh U=root P=local S=4682 M8S=0 RT=0.004s id*=E1oEoxi-0003XB-2t@Sophos T="Mail delivery failed: returning message to sender"
    2022-07-22 11:28:46.096 [13589] 1oEoxi-0003XB-2t <= <> R=8cFC4L-hj6O7d-wh U=root P=local S=4682 M8S=0 RT=0.004s id*=E1oEoxi-0003XB-2t@Sophos T="Mail delivery failed: returning message to sender" from <> for Test.User@internal-test-domain.com
    13589 >>>>>>>>>>>>>>>> Exim pid=13589 (bounce-message) terminating with rc=0 >>>>>>>>>>>>>>>>
    13587 LOG: MAIN
    13587 Completed QT=8s

  • try dragging and dropping the log file here !! 

    Thanks & Regards,

    Vivek Jagad | Technical Account Manager 3 | Cyber Security Evolved


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • logfile.txt
    2022-07-22 11:28:38.735 [5001] SMTP connection from [172.30.104.10]:37190 I=[172.30.104.1]:25 (TCP/IP connection count = 1)
    2022-07-22 11:28:38.770 [13567] [172.30.104.10] F=<Test.User@internal-test-domain.com> R=<test@sophos123.com> Accepted from relay list
    2022-07-22 11:28:38.775 [13567] 1oEoxa-0003Wp-Or <= Test.User@internal-test-domain.com H=(DE43940XX00001.reimers.zeuscloud.de) [172.30.104.10]:37190 I=[172.30.104.1]:25 P=esmtps L. X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no S=3414 M8S=0 RT=0.002s id=41bab319d48148699774b976b345b448@internal-test-domain.com T="test" from <Test.User@internal-test-domain.com> for test@sophos123.com
    MSG   Jul 22 11:28:38 [ T_SMTPD-M]: new mail queued, add to inqueue '1oEoxa-0003Wp-Or-D'
    2022-07-22 11:28:38.776 [13567] SMTP connection from (DE43940XX00001.reimers.zeuscloud.de) [172.30.104.10]:37190 I=[172.30.104.1]:25 closed by QUIT
    MSG   Jul 22 11:28:39 [ T_SMTPD-W]: Mail assigned to 'MS-4990' for scanning '1oEoxa-0003Wp-Or-D'
    MSG   Jul 22 11:28:39 [   MS-4990]: scan request 1oEoxa-0003Wp-Or-D
    MSG   Jul 22 11:28:39 [   MS-4990]: S='Test.User@internal-test-domain.com' R='test@sophos123.com' Subject='test' Size='3414' Status='Mail has been queued for delivery.' src_ip='172.30.104.10' src_port=37190 user_id=0 user_grp_id=0 fw_id=0 src_zone_id=3
    MSG   Jul 22 11:28:39 [1oEoxa-0003Wp-Or]: [0x8b6ff600] FROM: Test.User@internal-test-domain.com , TO: test@sophos123.com
    MSG   Jul 22 11:28:39 [1oEoxa-0003Wp-Or]: move '8cFC4L-hj6O7d-wh' to forwarder queue
    MSG   Jul 22 11:28:39 [1oEoxa-0003Wp-Or]: 8cFC4L-hj6O7d-wh <= Test.User@internal-test-domain.com R=1oEoxa-0003Wp-Or
    MSG   Jul 22 11:28:39 [   MS-4990]: processing for 1oEoxa-0003Wp-Or completed
    MSG   Jul 22 11:28:39 [ T_SMTPD-W]: [SMTPD] read returned 8 bytes
    MSG   Jul 22 11:28:39 [ T_SMTPD-W]: [SMTPD] mail '1oEoxa-0003Wp-Or-D' processed sucessfully
    MSG   Jul 22 11:28:39 [ T_SMTPD-W]: [SMTPD] smtpd read blocked
     5000 1 queue-runner process running
    13586 queue-runner forking for qrun-delivery
    13586 queue-runner forked for qrun-delivery: 13587
    13587 postfork: qrun-delivery
    13587 locking /sdisk/spool/output//db/retry.lockfile
    13587 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
    13587 Considering: test@sophos123.com
    13587 unique = test@sophos123.com
    13587 test@sophos123.com: queued for routing
    13587 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
    13587 routing test@sophos123.com
    13587 --------> router_for_notifications router <--------
    13587 local_part=test domain=sophos123.com
    13587 checking "condition" "${if and{{bool_lax{0}}{bool_lax{${if eq{$acl_c1}{1}{1}{0}}}}}}"...
    13587 router_for_notifications router skipped: condition failure
    13587 --------> batv_redirect router <--------
    13587 local_part=test domain=sophos123.com
    13587 checking domains
    13587 batv_redirect router skipped: domains mismatch
    13587 --------> static_route_hostlist_for_email router <--------
    13587 local_part=test domain=sophos123.com
    13587 checking "condition" "${if match_address{$local_part@$domain}{+hostlist_route_emails}{1}{0}}"...
    13587 static_route_hostlist_for_email router skipped: condition failure
    13587 --------> static_route_hostlist router <--------
    13587 local_part=test domain=sophos123.com
    13587 checking domains
    13587 static_route_hostlist router skipped: domains mismatch
    13587 --------> static_route_bymx_for_email router <--------
    13587 local_part=test domain=sophos123.com
    13587 checking "condition" "${if match_address{$local_part@$domain}{+mx_route_emails}{1}{0}}"...
    13587 static_route_bymx_for_email router skipped: condition failure
    13587 --------> static_route_bymx router <--------
    13587 local_part=test domain=sophos123.com
    13587 checking domains
    13587 static_route_bymx router skipped: domains mismatch
    13587 --------> static_route_bydns_for_email router <--------
    13587 local_part=test domain=sophos123.com
    13587 checking "condition" "${if match_address{$local_part@$domain}{+dns_route_emails}{1}{0}}"...
    13587 static_route_bydns_for_email router skipped: condition failure
    13587 --------> static_route_bydns router <--------
    13587 local_part=test domain=sophos123.com
    13587 checking domains
    13587 static_route_bydns router skipped: domains mismatch
    13587 --------> smart_host_route router <--------
    13587 local_part=test domain=sophos123.com
    13587 checking domains
    13587 checking "condition" "1"...
    13587 calling smart_host_route router
    13587 smart_host_route router called for test@sophos123.com
    13587   domain = sophos123.com
    13587 route_item = * "<, 10.0.0.10,"
    13587 original list of hosts = '<, 10.0.0.10,' options = ''
    13587 expanded list of hosts = '<, 10.0.0.10,' options = ''
    13587 set transport smarthost_smtp
    13587 finding IP address for 10.0.0.10
    13587 calling host_find_byname
    13587 queued for smarthost_smtp transport: local_part = test
    13587 domain = sophos123.com
    13587   errors_to=NULL
    13587   domain_data=NULL local_part_data=NULL
    13587 routed by smart_host_route router
    13587   envelope to: test@sophos123.com
    13587   transport: smarthost_smtp
    13587   host 10.0.0.10 [10.0.0.10]
    13587 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
    13587 After routing:
    13587   Local deliveries:
    13587   Remote deliveries:
    13587     test@sophos123.com
    13587   Failed addresses:
    13587   Deferred addresses:
    13587 qrun-delivery forking for transport
    13587 qrun-delivery forked for transport: 13588
    13588 postfork: transport
    13588 T: smarthost_smtp: for test@sophos123.com
    13588 locking /sdisk/spool/output//db/retry.lockfile
    13588 locking /sdisk/spool/output//db/wait-smarthost_smtp.lockfile
    13587 LOG: MAIN
    13587   ** test@sophos123.com F=<Test.User@internal-test-domain.com> P=<Test.User@internal-test-domain.com> R=smart_host_route T=smarthost_smtp: all hosts for 'sophos123.com' have been failing for a long time (and retry time not reached) DT=0.000s
    2022-07-22 11:28:46.079 [13587] 8cFC4L-hj6O7d-wh ** test@sophos123.com F=<Test.User@internal-test-domain.com> P=<Test.User@internal-test-domain.com> R=smart_host_route T=smarthost_smtp: all hosts for 'sophos123.com' have been failing for a long time (and retry time not reached) DT=0.000s
    13587 qrun-delivery forking for bounce-message
    13587 qrun-delivery forked for bounce-message: 13589
    13589 postfork: bounce-message
    13589 Exim version 4.94.2 uid=0 gid=0 pid=13589 D=4080000
    Support for: crypteq iconv() IPv6 OpenSSL DKIM DNSSEC Event OCSP PIPE_CONNECT PRDR SPF TCP_Fast_Open
    Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch dnsdb dsearch ldap ldapdn ldapm pgsql sqlite
    Authenticators: cram_md5 plaintext
    Routers: accept dnslookup ipliteral manualroute queryprogram redirect
    Transports: appendfile pipe smtp
    Configure owner: 0:0
    Size of off_t: 4
    Compiler: GCC [7.3.0]
    Library version: Glibc: Compile: 2.27
                            Runtime: 2.27
    Library version: BDB: Compile: Berkeley DB 4.7.25: (May 15, 2008)
                          Runtime: Berkeley DB 4.7.25: (May 15, 2008)
    Library version: OpenSSL: Compile: OpenSSL 1.0.2u-fips  20 Dec 2019
                              Runtime: OpenSSL 1.0.2u-fips  20 Dec 2019
                                     : built on: reproducible build, date unspecified
    Library version: spf2: Compile: 1.2.10
                           Runtime: 1.2.10
    Library version: PCRE: Compile: 8.43
                           Runtime: 8.43 2019-02-23
    Library version: SQLite: Compile: 3.32.3
                             Runtime: 3.32.3
    WHITELIST_D_MACROS: "INPUT"
    TRUSTED_CONFIG_LIST unset
    13589 configuration file is /static/proxy/smtp/exim.conf
    13589 log selectors = fffff7bf ffffffff ffffffff
    13589 LOG: MAIN
    13589   cwd=/var/spool/output 10 args: /bin/exim -d=0x4080000 -MCd bounce-message -t -oem -oi -f <> -E8cFC4L-hj6O7d-wh
    2022-07-22 11:28:46.086 [13589] cwd=/var/spool/output 10 args: /bin/exim -d=0x4080000 -MCd bounce-message -t -oem -oi -f <> -E8cFC4L-hj6O7d-wh
    13589 trusted user
    13589 admin user
    13589 LOG: MAIN
    13589   <= <> R=8cFC4L-hj6O7d-wh U=root P=local S=4682 M8S=0 RT=0.004s id*=E1oEoxi-0003XB-2t@Sophos T="Mail delivery failed: returning message to sender"
    2022-07-22 11:28:46.096 [13589] 1oEoxi-0003XB-2t <= <> R=8cFC4L-hj6O7d-wh U=root P=local S=4682 M8S=0 RT=0.004s id*=E1oEoxi-0003XB-2t@Sophos T="Mail delivery failed: returning message to sender" from <> for Test.User@internal-test-domain.com
    13589 >>>>>>>>>>>>>>>> Exim pid=13589 (bounce-message) terminating with rc=0 >>>>>>>>>>>>>>>>
    13587 LOG: MAIN
    13587   Completed QT=8s
    2022-07-22 11:28:46.099 [13587] 8cFC4L-hj6O7d-wh Completed QT=8s
    13587 >>>>>>>>>>>>>>>> Exim pid=13587 (qrun-delivery) terminating with rc=0 >>>>>>>>>>>>>>>>
     5000 1 queue-runner process running
    13676 queue-runner forking for qrun-delivery
    13676 queue-runner forked for qrun-delivery: 13677
    13677 postfork: qrun-delivery
    13677 locking /sdisk/spool/output//db/retry.lockfile
    13677 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
    13677 Considering: Test.User@internal-test-domain.com
    13677 unique = Test.User@internal-test-domain.com
    13677 Test.User@internal-test-domain.com: queued for routing
    13677 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
    13677 routing Test.User@internal-test-domain.com
    13677 --------> router_for_notifications router <--------
    13677 local_part=test.user domain=internal-test-domain.com
    13677 checking "condition" "${if and{{bool_lax{0}}{bool_lax{${if eq{$acl_c1}{1}{1}{0}}}}}}"...
    13677 router_for_notifications router skipped: condition failure
    13677 --------> batv_redirect router <--------
    13677 local_part=test.user domain=internal-test-domain.com
    13677 checking domains
    13677 calling batv_redirect router
    13677 expanded: ''
    13677 file is not a filter file
    13677 parse_forward_list:
    13677 batv_redirect router declined for Test.User@internal-test-domain.com
    13677 --------> static_route_hostlist_for_email router <--------
    13677 local_part=test.user domain=internal-test-domain.com
    13677 checking "condition" "${if match_address{$local_part@$domain}{+hostlist_route_emails}{1}{0}}"...
    13677 calling static_route_hostlist_for_email router
    13677 static_route_hostlist_for_email router called for Test.User@internal-test-domain.com
    13677   domain = internal-test-domain.com
    13677 static_route_hostlist_for_email router declined for Test.User@internal-test-domain.com
    13677 --------> static_route_hostlist router <--------
    13677 local_part=test.user domain=internal-test-domain.com
    13677 checking domains
    13677 calling static_route_hostlist router
    13677 static_route_hostlist router called for Test.User@internal-test-domain.com
    13677   domain = internal-test-domain.com
    13677 original list of hosts = '<;172.30.104.10;' options = ''
    13677 expanded list of hosts = '<;172.30.104.10;' options = ''
    13677 set transport static_smtp
    13677 finding IP address for 172.30.104.10
    13677 calling host_find_byname
    13677 queued for static_smtp transport: local_part = test.user
    13677 domain = internal-test-domain.com
    13677   errors_to=NULL
    13677   domain_data=internal-test-domain.com local_part_data=NULL
    13677 routed by static_route_hostlist router
    13677   envelope to: Test.User@internal-test-domain.com
    13677   transport: static_smtp
    13677   host 172.30.104.10 [172.30.104.10]
    13677 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
    13677 After routing:
    13677   Local deliveries:
    13677   Remote deliveries:
    13677     Test.User@internal-test-domain.com
    13677   Failed addresses:
    13677   Deferred addresses:
    13677 qrun-delivery forking for transport
    13677 qrun-delivery forked for transport: 13678
    13678 postfork: transport
    13678 T: Static_smtp: for test.user@internal-test-domain.com
    13678 locking /sdisk/spool/output//db/retry.lockfile
    13678 I can not find c7, Not attempting firewall relate
    13678 LOG: MAIN
    13678   [172.30.104.10] SSL verify error: depth=0 error=unable to get local issuer certificate cert=/CN=DE43940XX00001
    2022-07-22 11:29:01.085 [13678] 1oEoxi-0003XB-2t [172.30.104.10] SSL verify error: depth=0 error=unable to get local issuer certificate cert=/CN=DE43940XX00001
    13678 LOG: MAIN
    13678   [172.30.104.10] SSL verify error: depth=0 error=unable to verify the first certificate cert=/CN=DE43940XX00001
    2022-07-22 11:29:01.085 [13678] 1oEoxi-0003XB-2t [172.30.104.10] SSL verify error: depth=0 error=unable to verify the first certificate cert=/CN=DE43940XX00001
    13678 locking /sdisk/spool/output//db/wait-static_smtp.lockfile
    13677 LOG: MAIN
    13677   => test.user@internal-test-domain.com <Test.User@internal-test-domain.com> F=<> P=<> R=static_route_hostlist T=static_smtp S=4824 H=172.30.104.10 [172.30.104.10]:25 I=[172.30.104.1]:54352 X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no DN="/CN=DE43940XX00001" L C="250 2.6.0 <E1oEoxi-0003XB-2t@Sophos> [InternalId=11544872091660, Hostname=DE43940XX00001.reimers.zeuscloud.de] 6266 bytes in 0.102, 59,634 KB/sec Queued mail for delivery" QT=15s DT=0.135s
    2022-07-22 11:29:01.296 [13677] 1oEoxi-0003XB-2t => test.user@internal-test-domain.com <Test.User@internal-test-domain.com> F=<> P=<> R=static_route_hostlist T=static_smtp S=4824 H=172.30.104.10 [172.30.104.10]:25 I=[172.30.104.1]:54352 X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no DN="/CN=DE43940XX00001" L C="250 2.6.0 <E1oEoxi-0003XB-2t@Sophos> [InternalId=11544872091660, Hostname=DE43940XX00001.reimers.zeuscloud.de] 6266 bytes in 0.102, 59,634 KB/sec Queued mail for delivery" QT=15s DT=0.135s
    13677 LOG: MAIN
    13677   Completed QT=15s
    2022-07-22 11:29:01.296 [13677] 1oEoxi-0003XB-2t Completed QT=15s
    13677 >>>>>>>>>>>>>>>> Exim pid=13677 (qrun-delivery) terminating with rc=0 >>>>>>>>>>>>>>>>
    

  • Hello ,

    Thank you for the update, can you share the screenshot of the following path:
    > Email > General settings > SMTP TLS configurations
    > Certificates > Certificate authorities > Default
     

    Thanks & Regards,

    Vivek Jagad | Technical Account Manager 3 | Cyber Security Evolved


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • You're great, thank you so much :).
    Here are the screenshots:

  • You're welcome , If it has helped you can click on verify button. And it seems the default cert is not filled properly, so would recommend fill the cert and save it !!  

    Thanks & Regards,

    Vivek Jagad | Technical Account Manager 3 | Cyber Security Evolved


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • Great, that's it. together with the NAT everything works as it should.

    Thanks again for your patience and help

  • You're welcome Cheers !!

    Thanks & Regards,

    Vivek Jagad | Technical Account Manager 3 | Cyber Security Evolved


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

Reply Children
No Data