Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.

---

Table Of Contents

• Overview:
• Prerequisites:
• What To Do
  • Gmail:
  • Microsoft Outlook:
  • Any other email domains:    

Overview:

This recommended read describes the troubleshooting steps & possible solutions when the email notifications don't work:

• Unable to receive/send backup emails
• Unable to receive/send notification emails
• Unable to send/receive scheduled report email
• The test email was successful, but I was not able to receive the test emails

Prerequisites:

• Modes/Types of email (email > General Settings): a. MTA mode and b. Legacy Mode
• Ensure that you've configured email notification settings as per the KBAs below: 
  How does the email notification system work: 
  • Sophos Firewall: Email notification behavior and requirements
  • Set up an external mail server
  • Sophos Firewall: Configure email notifications using Gmail

What To Do

Gmail:

Prerequisites:

For Gmail users, ensure that the following settings are in place: (Skip Step 1 in the "What To Do" section)

• Mail server IPv4 address/FQDN: smtp.gmail.com
• Port: 587
• Authentication required: Selected.
• Username: Your complete Gmail account
• Password: Gmail password if 2FA is turned off/App password if 2FA is turned on (Step 6)

Troubleshooting Steps:

Step 1: Verify all the details, such as FQDN/IP for the mail server and SMTP port.

Step 2: Verify the log viewer -> email for the delivery status of the emails

Step 3: Click "Test Mail" and observe the smtpd debug logs. 

Note: Keep the service in debug mode to check the logs by running the following command in Advanced Shell CLI: 

• For HA setup(mostly for A-A) , when enabling it on both the devices - service smtpd:debug -ds sync
• For non-HA setup - service smtpd:debug -ds nosync 
  Note: Execute the same command to disable the debug. 
• Run the following command to view the output - tail -f /log/smtpd_main.log
  

Successful Logs:

Authentication Error / Less secure App is off -> 2-Step Verification is off:

• Verify the credentials or log in again to Gmail using the same credentials.
• Go to step 4

IP Blacklisted/email bounced:

Verify that the public IP  isn’t blacklisted through Mxtoolbox (https://mxtoolbox.com/) - A handy website that provides information related to MX records associated with the domain. Contact the ISP to allow list the IP address. 

Step 4: If turned on Two-Factor Authentication for Gmail, you'll need an App Password to enter as a password in the email Notification settings on Sophos Firewall.

If 2FA isn't active, then use your Gmail password.

However, if you still cannot receive email notifications, try enabling the Less Secure App on Gmail and testing.

Note: 2-way step verification is a more secure option

Step 5: To turn on the less secure app access option, refer to the screenshot below:

Less Secure App:

Step 6: Refer to the screenshots below to turn on 2-step authentication. Generate the app password and enter it into the Sophos Firewall.

2-Step verification (Generate App password)

App Password:

Microsoft Outlook:

Prerequisites:

• Mail server IPv4 address/FQDN: outlook.office365.com
• Port: 587
• Authentication required: Selected
• Username: Your complete Microsoft account
• Password: Outlook password if 2-Step is turned off or App Password if 2-Step is turned on
• Connection security: STARTTLS

Troubleshooting Steps:

Step 1: Verify all the details, such as FQDN/IP for the mail server and SMTP port.

Step 2: Verify the log viewer -> email for the delivery status of the emails.

Step 3: Click on the "Test Mail" and observe the smtpd debug logs

Successful Authentication:

Unsuccessful authentication:

Verify the credentials or log into Outlook using the same credentials.

Sending an email using another domain

Outlook does not allow sending emails using other email domains.

Any other email domains:

Troubleshooting Steps:

Step 1: Verify all the details, such as FQDN/IP for the mail server and SMTP port.

Step 2: Verify the log viewer -> email for the delivery status of the emails.

Step 3: Run the following command - telnet <FQDN/IP> <Port>

• If it’s successful, get the exact valid port number.
• Run the following command - telnet <mail server FQDN/IP> <SMTP Port>

Verify whether the mail server is responding on the provided SMTP port.

Step 4: Check the smtpd-debug logs and verify if there's an authentication failure or any message provided by the remote mail server.

Note: Keep the service in debug mode to check the logs by running the following command in Advanced Shell CLI: 

• For HA setup(mostly for A-A), when enabling it on both the devices - service smtpd:debug -ds sync
• For non-HA setup - service smtpd:debug -ds nosync 
  Note: Execute the same command to disable the debug. 
• Execute the following command to view the output - tail -f /log/smtpd_main.log

---

Revamped RR
[edited by: Erick Jan at 9:50 AM (GMT -7) on 17 Sep 2024]