Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Not Answered
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 6 replies
  • Subscribers 41 subscribers
  • Views 1529 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Mails not more delivered (MTA-Mode). After service smtpd:restart mails successfully delivered, but also very old from February/March/April

Erik Wi

Hi there,

we had a very interesting problem with our Sophos-Firewall and the mailflow on Wednesday.

  1. On 2024-06-26 around 08:00am (UTC+2) no more mails were delivered via our Firewall.
  2. All mails were visible in the GUI under "Mail logs", but only "Temporarily Rejected Greylisted". An initial rejection is a normal behavior.
  3. In the GUI under "Mail spool" we only saw 6 mails from shortley 08:00am, but there should have been hundreds. Adjusting the date filter was also unsuccessful.
  4. After running the command "service smtpd:restart -ds nosync" the following happened:
    a. 170 pages of 20 mails could be seen in the spooler!
    b. Employees reported that mails from February, March, April etc. were delivered.

We:

  • a. use the version: XG430_WP02_SFOS 20.0.0 GA-Build222.
  • b. use the MTA mode.
  • c. had no CPU/RAM/disk workload.
  • d. could not see any failed pattern updates.
  • e. did not see any services in the GUI with a problem status.
  • checked smtpd_error.log and smtpd_panic.log, but both are empty.

Attached a snipped from the logs, shortly before and after the problem occurred.

	Line 312083: MSG   Jun 26 06:04:35Z [ T_SMTPD-M]: new mail queued, add to inqueue '1sMLlj-0003RQ-2M-D'
	Line 312087: MSG   Jun 26 06:04:35Z [  MS-10567]: S='noreply-***@***.com' R='AMR@***.DE' Subject='DMAN:XA83561-660' Size='9204' Status='Mail has been queued for delivery.' src_ip='10.**.**.**' src_port=52912 user_id=0 user_grp_id=0 fw_id=1 src_zone_id=5
	Line 312093: MSG   Jun 26 06:04:35Z [1sMLlj-0003RJ-0f]: move 'iJ6tOb-VHCZxe-VL' to forwarder queue
	Line 312101: MSG   Jun 26 06:04:35Z [  MS-10567]: S='noreply-***@***.com' R='AMR@***.DE' Subject='DMAN:XA83561-670' Size='9332' Status='Mail has been queued for delivery.' src_ip='10.**.**.**' src_port=52922 user_id=0 user_grp_id=0 fw_id=1 src_zone_id=5
	Line 312107: MSG   Jun 26 06:04:35Z [1sMLlj-0003RQ-2M]: move 'yg4VHO-ulQeua-oG' to forwarder queue
	Line 312116: MSG   Jun 26 06:04:36Z [ T_SMTPD-M]: new mail queued, add to inqueue '1sMLlk-0003Rf-0v-D'
	Line 312121: MSG   Jun 26 06:04:36Z [ T_SMTPD-M]: new mail queued, add to inqueue '1sMLlk-0003Rm-2g-D'
	Line 312125: MSG   Jun 26 06:04:36Z [  MS-10567]: S='noreply-***@***.com' R='AMR@***.DE' Subject='DMAN:XA83561-680' Size='9460' Status='Mail has been queued for delivery.' src_ip='10.**.**.**' src_port=52924 user_id=0 user_grp_id=0 fw_id=1 src_zone_id=5
	Line 312131: MSG   Jun 26 06:04:37Z [1sMLlk-0003Rf-0v]: move 'eLRyTE-2s6PAH-Z5' to forwarder queue
	Line 312139: MSG   Jun 26 06:04:37Z [  MS-10567]: S='noreply-***@***.com' R='AMR@***.DE' Subject='DMAN:XA83561-690' Size='9588' Status='Mail has been queued for delivery.' src_ip='10.**.**.**' src_port=52934 user_id=0 user_grp_id=0 fw_id=1 src_zone_id=5
	Line 312143: MSG   Jun 26 06:04:37Z [ T_SMTPD-M]: new mail queued, add to inqueue '1sMLll-0003Rr-1B-D'
	Line 312145: 14856 1 queue-runner process running
	Line 312176: MSG   Jun 26 06:04:37Z [ T_SMTPD-M]: new mail queued, add to inqueue '1sMLll-0003S7-2w-D'
	Line 312226: MSG   Jun 26 06:04:38Z [ T_SMTPD-M]: new mail queued, add to inqueue '1sMLlm-0003Sr-1R-D'
	Line 312267: MSG   Jun 26 06:04:39Z [ T_SMTPD-M]: new mail queued, add to inqueue '1sMLlm-0003Tg-3D-D'
	Line 312272: MSG   Jun 26 06:04:39Z [ T_SMTPD-M]: new mail queued, add to inqueue '1sMLln-0003Ty-1q-D'
	Line 312277: MSG   Jun 26 06:04:40Z [ T_SMTPD-M]: new mail queued, add to inqueue '1sMLlo-0003Uq-0P-D'
	Line 312282: MSG   Jun 26 06:04:40Z [ T_SMTPD-M]: new mail queued, add to inqueue '1sMLlo-0003VG-2A-D'
	Line 312326: MSG   Jun 26 06:04:41Z [ T_SMTPD-M]: new mail queued, add to inqueue '1sMLlp-0003Vi-0k-D'
	Line 312337: MSG   Jun 26 06:04:41Z [ T_SMTPD-M]: new mail queued, add to inqueue '1sMLlp-0003WH-2R-D'
	Line 312342: MSG   Jun 26 06:04:42Z [ T_SMTPD-M]: new mail queued, add to inqueue '1sMLlq-0003WL-0w-D'
	Line 312347: MSG   Jun 26 06:04:42Z [ T_SMTPD-M]: new mail queued, add to inqueue '1sMLlq-0003WX-2g-D'
	Line 312352: MSG   Jun 26 06:04:43Z [ T_SMTPD-M]: new mail queued, add to inqueue '1sMLlr-0003Wi-1F-D'
	Line 312357: MSG   Jun 26 06:04:44Z [ T_SMTPD-M]: new mail queued, add to inqueue '1sMLlr-0003Wy-3C-D'
	Line 312362: MSG   Jun 26 06:04:44Z [ T_SMTPD-M]: new mail queued, add to inqueue '1sMLls-0003X5-1i-D'
	Line 312367: MSG   Jun 26 06:04:45Z [ T_SMTPD-M]: new mail queued, add to inqueue '1sMLlt-0003XD-07-D'
	Line 312372: MSG   Jun 26 06:04:45Z [ T_SMTPD-M]: new mail queued, add to inqueue '1sMLlt-0003XG-1n-D'
	Line 312377: MSG   Jun 26 06:04:46Z [ T_SMTPD-M]: new mail queued, add to inqueue '1sMLlu-0003XL-0G-D'
	Line 312382: MSG   Jun 26 06:04:46Z [ T_SMTPD-M]: new mail queued, add to inqueue '1sMLlu-0003Xe-1z-D'
	Line 312387: MSG   Jun 26 06:04:47Z [ T_SMTPD-M]: new mail queued, add to inqueue '1sMLlv-0003Xh-0S-D'
	Line 312392: MSG   Jun 26 06:04:47Z [ T_SMTPD-M]: new mail queued, add to inqueue '1sMLlv-0003Xk-28-D'
	Line 312397: MSG   Jun 26 06:04:48Z [ T_SMTPD-M]: new mail queued, add to inqueue '1sMLlw-0003Xm-0g-D'
	Line 312402: MSG   Jun 26 06:04:48Z [ T_SMTPD-M]: new mail queued, add to inqueue '1sMLlw-0003YK-2P-D'

It looks like a not passed spam check (like RBL, Greylisting, SPF, 0Day...). Where are the failed mails stored, /var/spool/input or output/?

How can we avoid this in future, where emails get stuck for months and are not visible in the GUI in the spooler?

Is it possible to send external commands to monitor the mail queue (like exim -bp)?

Best regards and thanks a lot!

Erik



This thread was automatically locked due to age.
  • 0

    Did you use a Cluster? Because both appliances have their own mail queues. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    We use the HA-Mode (Active-Passive). The same node was active before and after SMTP restart.

  • 0 in reply to Erik Wi

    I am just wondering, if your email, you got, were something stock on the previous AUX appliance and you did a takeover. 

    Btw: If you restart the SMTP services, it will inject the mails from the folder in the spooler back to the service. But why there are so many emails stuck in the email, i cannot say. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Hi LuCar Tono,

    please excuse the late reply. Mail notifications were deactivated. The theory that both firewalls have their own queue and that the SMTP restart retrieved/transferred mail from the other firewall sounds interesting. But we install the updates very soon, so that both firewalls restart, which should also be similar to an SMTP:Restart?

  • 0 in reply to Erik Wi

    A firmware update indeed is an restart of the service and will try to release emails again. 

    It is hard to guess from the inputs here, what happened in the past: My best guess is the spooler had some emails in the queue, which got injected back to the queue. 

    As we do not have this situation active anymore, it is impossible to tell, where those emails came from. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Hi,

    from time to time I check the folder "\var\spool\*, as well as the "Mail spool" in the GUI, with an older date entry. So far I have not been able to detect any stuck emails. Thanks for your ideas, I will close the post.

Unfiltered HTML