Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Replies 16 replies
  • Subscribers 6 subscribers
  • Views 29771 views
  • Users 0 members are here
Options
Suggested

Email Smart Host not working?

IanR999

I have tried to set up the outgoing email Smarthost in Email > General Settings and then tried to test it.

I configured one of the mail servers to use the XG box as a smart-host rather than the ISP smart host.  I also configured XG using the tickbox "use smarthost" and configured the smarthost as it was configured in the mail server.  I also remembered to update the device-access table so the mail server was allowed SMTP relaying.

I then sent a test email through the mail server which then tried to send it using XG.

The test email (tested 3 times), would sit in the Mail Spool as Queued and then change to Failed.  I tried retrying each email about 5 times before deleting it, each retry was no success. 

I then reverted the mail server outgoing smart host back to the ISP smart host (which it was on previously) and retried sending the email.  This worked perfectly.

My XG is in MTA mode, with 2 incoming SMTP profiles that are working well.
I upgraded from 16.05MR7 to 17-Beta1 without any issues and everything seems to be working as expected.

The smart-host only requires a connection to the host on port 25 and does not require any authentication (it is the ISP smarthost and they use other security to only allow relaying from systems connected to their services).

 

Thanks

Ian

 

 

 

 

 

 

 

  • 0 in reply to IanR999

    I second Ian's concern that TLS1.0 or self signed certs shouldn't affect regular port 25 connections. However, I don't claim to be smarter than the folks at sophos so hopefully this is resolved correctly in the next MR release. Also, better logging is always welcome. 

  • 0 in reply to deeptibhavsar

    Thank you for this.

     

    Is there a requirement to use SSL/TLS on this smart host?

     

    The previous smart host I tried did not allow any encryption at all and had to be a basic connection?

     

    Will there be any option to select what encryption is to be used for the smart host?

     

    Thanks

     

    Ian

  • +1 in reply to IanR999

    Hi Ian,

    Thank you for the sharing the details and extended help.

    We found that, in Email General Settings, for SMTP "Allow Invalid Certificate" is disabled, and the certificate coming from Smart host to Appliance is selfsigned certificate, which is getting denied as per configuration.

    You can import CA into the appliance to resolve the issue.

    The other thing, we found that, some of the mail server connecting to appliance MTA, is coming with TLS 1.0. We have disabled the TLS 1.0 by default  in SFOSv17, to make the security strong and remove week version compatibility NC-21678.

    Yes, we are doing improvement to make logging strong, so admin can come to know the mail drop reason,NC-17262 and this is planned to fix in SFOSv17 MR1.

     

    Regards,

    Deepti Bhavsar

  • 0 in reply to IanR999

    Hello,

     

    Just an update:

    * I have tried with RC1 installed and there is no change.

    * I have installed another copy of the mail server temporarily to test the smart host/mail relay functionality.
    This was effectively configured as per the ISP (Allow Relay for specific IP on Port 25, no authentication required).  XG relayed the email correctly through this 'smarthost'

    * Device Access page is configured to allow SMTP from WAN and LAN addresses.

    * The main mail server happily delivers to the ISP SMTP relay using port 25, ISP IP pool authentication and FQDN address for the server bypassing the XG relay service. (there are no IPv6 Addresses for the ISP relay as I have HE tunnelbroker running for IPv6) 

     

    **EDIT**

    * I have just tried a different internet based SMTP smart host (I can access using a terminal connection), but I get the same failure message.  This was using port 25 and username/password authentication. They also allowed TLS on 587, and SSL on 465.  Neither of which worked either.

    * I have just tried the same Smart Host using its IP Address rather than FQDN with no luck.

     

    I hope this helps

    Ian

  • 0 in reply to deeptibhavsar

    Apologies for the delay. 

     

    Log files just sent.

  • 0 in reply to IanR999

    Hi lan,

    Thank you for the logs. Detail logs would be great, already asked for the info on PM

    Thank you

  • 0 in reply to IanR999

    I think this section may be pertinent to the issues:

    ERR   Oct 05 21:06:29 [T___WORKER]: ct_do_work: write failed: Connection refused
    MSG   Oct 05 21:06:29 [0xc0000075]: spam scanning failed,unable to connect local ctasd
    INF   Oct 05 21:06:29 [T___WORKER]: matchpolicy: sender profile is avail
    INF   Oct 05 21:06:29 [0xc0000075]: SCANCONTENT AV: 4 TFT: 0 DLP: 0 SANDSTORM: 0
    ERR   Oct 05 21:06:29 [T___WORKER]: ensure_avd_connection(): connect_to_av_server() failed
    ERR   Oct 05 21:06:29 [0xc0000075]: VirusScan: Failed for Session c0000075
    MSG   Oct 05 21:06:29 [0xc0000075]: S='###SENDERADDRESS###' R='###RECEIVERADDRESS###' subject='Test' Size='3657' Status='Mail delivery failure. Could not connect to Anti-Virus Service.'

     

    If you need the rest of the file, please let me know

  • 0 in reply to deeptibhavsar

    deeptibhavsar said:

    Hi,

    Please run mta service in debug mode: service awarrenmta:debug -d -s nosync

    And share the awarrenmta.log

     

     

    I have sent a PM with regards to where you want the awarrentmta file sent

  • 0 in reply to deeptibhavsar

    Hi StefanBoldt,

    Meanwhile, Please share your setup details and firewall configuration details.

    Also check the drop-packet-capture , when you are sending mail with smart host enable

  • 0 in reply to StefanBoldt

    Hi StefanBoldt ,

    csc custom debug

    take logs /log/csc.log /log/cschelper.log

     

    You can use below command and copy to linux machine

    SG135_XN01_SFOS 17.0.0 Beta-1# scp <Source_File> <Username>@<server_ip>:<Destination_Folder>/

    SG135_XN01_SFOS 17.0.0 Beta-1# scp applog.log qa@10.198.36.170:r/

    You can also copy the logs from screen

Unfiltered HTML