Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Sophos Firewall: v20.0 MR1: Feedback and experiences

Release Post:  Sophos Firewall OS v20 MR1 is Now Available 

The old V20.0 GA Post:  Sophos Firewall: v20.0 GA: Feedback and experiences  

To make the tracking of issues / feedback easier: Please post a potential Sophos Support Case ID within your initial post, so we can track your feedback/issue. 

Release Notes:  https://docs.sophos.com/releasenotes/output/en-us/nsg/sf_200_rn.html 

Important Note on EOL Sophos RED Support:

The legacy EOL RED 15, RED 15w, and RED 50 are not supported in v20 MR1. Customers using these devices should upgrade to SD-RED or a smaller XGS appliance before upgrading to MR1 to maintain connectivity. See the following article for details: Sophos RED: End-of-life of RED 15/15(w) and RED 50



Prio Change
[bearbeitet von: LuCar Toni um 4:40 PM (GMT -7) am 23 Sep 2024]
Parents
  • We are seeing issues with 20.0 MR1 with Antispam/RBL exceptions. Spamcop recently have added a large number of Microsoft Outlook servers to their blocklist. I thought it would be as easy as adding a wildcard FQDN "*.protection.outlook.com" to skip RBL/Antispam under exceptions, however we are still seeing rejections and in the smtpd_main.log:

    "Rejected: sender IP is RBL listed"
    and
    "Sophos Anti Spam Engine has blocked this Email because the sender IP Address is blacklisted."

    It seems that even though the wildcard "*.protection.outlook.com" resolves to IPs in the range of 40.107.0.0/16 for example, those IP's are still detected as on RBL and the RBL/Antispam exception is not working

    It is not possible to add an entire range of IP's as exceptions in SFOS, only wildcards or individual host IP's and the MIcrosoft ranges are too large to do individually and it seems the wildcard does not work.

    Are we expected to just stop using Spamcop under Premium RBL or is there a fix?

  • Hi  ,

    20.0 MR1 doesn't have changes in the SMTP exception handling area, but we're trying to reproduce the issue of wildcard FQDNs.

    It's worth to mention that in 20.0 MR2 we extend the network objects we support in SMTP exceptions with IP ranges/lists and networks.

    To prevent those legitimate messages from being blocked, you can remove "Premium RBL Services" from the "Reject based on RBL" list for now.

  • Hi  ,

    it seems you experience a knows issue that we track about wildcard domains not working in SMTP exceptions.

    Please upgrade to 20.0 MR2 when it's released, where we'll support adding IP ranges to SMTP exceptions.

    Until then, you can remove "Premium RBL Services" from the "Reject based on RBL" list.

  • Thanks Janos for the reply and letting me know about the known issue with wildcards, we have disabled the Premium RBL with Spamcop and will wait for MR2 for a better resolution.

    In the meantime, is there any replacement RBL besides Spamcop that you can recommend that works with SFOS?

Reply Children
No Data