Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 2 replies
  • Answers 1 answer
  • Subscribers 39 subscribers
  • Views 1204 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Mailtransfer doesn't work (legacy mode)

MartinSKS

Hello,

I need support with configuring mail traffic (SMTP) from external via noSpamProxy (DMZ) to the internal Exchange (LAN) and back again.

I have largely followed the Sophos instructions "Protect internal mail server in legacy mode" ( ( https://docs.sophos.com/nsg/sophos-firewall/20.0/help/en-us/webhelp/onlinehelp/AdministratorHelp/Email/HowToArticles/EmailProtectInternalMailServerLegacyMode/index.html ) but the mail flow doesn't really work - sometimes mails arrive from external sources, sometimes not... (e.g. when I have recreated the firewall and NAT rules). The same goes for mails from internal to external sources - it works like a bag of fleas - completely uncontrolled.

The following configuration:

WAN: Public IP
DMZ: noSpamProxy (10.0.1.10)
LAN: Exchange (192.168.200.15)

My settings on the Sophos XGS (20.0.2 MR-2 Build 378) are as follows:

Firewallrules

Otherwise, the other properties of the firewall rules remain unaffected, in particular no DPI or “Scan SMTP(s)” is not activated.

NAT-Rules

The Queues at noSpamProxy report: “The email server 192.168.200.15:25” refused the connection (email server = internal Exchange server)
The properties of the corresponding Receive-Connector (on the Exchange server) are configured as follows
The properties of the Send-Connector:
 
Thanks for reading and for supporting!


This thread was automatically locked due to age.
  • 0

    Hello Martin,
    I have never used the "legacy mode" before.
    I don't have such problems in MTA mode.
    What does the (mail) log on the XGS say?
    I would switch off the mail scan to test it. If it's OK then, you should open a support case with Sophos.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • +1 in reply to dirkkotte

    Hi Dirk,

    Thanks for your Input! I’ve managed to solve the problem, and it turns out that at least the "Reflexive NAT-Rule" wasn’t necessary. Everything is running smoothly now. ;-)

    Bye
    Martin

Unfiltered HTML