I'm now reaching out to the forums as the case support seems rather superficial here.
Ever since the cutover to the new ticket system we do not receive any emails anymore. I asked for a bit of information about the sender and the sending email servers and so on, and after a brief analysis period Sophos support asked me to check the spam box [sic] and told me the sender is email@example.com [sic] (is it the Envelope-From or only the From?)
Does anybody else have issues before? All I can see is huge amounts of qmgr traffic from and to addresses like firstname.lastname@example.org, and hosts like mail.delivery-37-eu-central-1.prod.hydra.sophos.com. With all the e-mail any appliance generates (sic), it's hard to distinguish right off the bat.
The only indication I have seen so far, and it is a wild guess because I know of the term "Salesforce", is this:
Sep 21 21:36:20 postfix-inbound/smtpd: disconnect from smtp07-fra-sp1.mta.salesforce.com[22.214.171.124] ehlo=1 starttls=0/1 commands=1/2Sep 21 22:42:22 postfix-inbound/smtpd: SSL_accept error from smtp07-ph2-sp3.mta.salesforce.com[126.96.36.199]: Connection reset by peer
....but I can't even tell whether this is Sophos or something else, since Salesforce has been taking over a *lot* in terms of consulting web-services and e-mail.
We have found that DMARC policies were blocking the emails, recommendation for Central customers is to set DMARC action to - > Conform to sender policy
Hope this helps to resolve the issue…
Hi Harald Pfeiffer,
Apologies for the inconvenience caused. Our team is actively working to resolve the issue related to outbound emails being blocked (tracked under ITASSCD-5654).
Please stay tuned for more info.
thanks for passing on the ID. Is there any way to check details through the ID itself, or to pass on any basic technical details to us?
Right now, there isn't even a way to check what Sophos or their Salesforce config is doing wrong and to possibly whitelist things temporarily to verify the issue at hand. This is a bit meager, given the fact we already reached out to a "technical" support, and nobody ever told us sending servers or something in the likes of that direction.
Hope this helps to resolve the issue for you until the fix is in place.
Secil YanikSenior Business Analyst, Support & ServicesSupport Videos | Product Documentation | @SophosSupport | Sign up for SMS AlertsIf a post solves your question, please use the 'Verify Answer' button.
Hi again Harald,
We have made changes to the DKIM signature on emails sent from email@example.com which should resolve this issue.
DKIM and DMARC failures, curious as those are because either they fit or they cause a mass of -justified- problems, are not the issue here. These failures would be registered in our mail security appliances as bogus mailing or spam if you will, whereas, I repeat, we never receive any email to that point. Which is why I also pointed out an example Salesforce entry from our logs with a broken STARTTLS connection attempt.
Whenever initial connections are terminated e.g. due to no matching handshake mechanism found, you will not receive even email headers. And it looks like that to me.
Now what I truly find curious is that, after all this time, nobody can even tell us which e-mail servers Sophos are using. Let alone their TLS parameters and so forth.
Who is in charge of the servers, who can we talk to who is able to at least basically understand and look into technical details on your end?
Thanks in advance.
Nonetheless, if we want to be sure nothing interfered before mails would have been submitted to our MTA, you can have any Sophos engineer trigger an e-mail from case 03151018, that one deals with our issue and has been answered nowhere near as detailed as you did. That could be used as a practical test whether, currently, the issue persists. Which I assume, but assumptions are not technical facts :-)
Edit: The last e-mail from the ticket system (it states "20/10/2020 13:10" WITHOUT timezone, so I assume CEST... :-/) did not arrive on our end. Depending on the date and time of the fixes on your end this is either significant or it isn't. Times of changes is something I would also consider technical details, among the other things I indicated in the previous post.
As you may have gathered from my signature, I ain't a security expert, but I now understand the issue (not the technical details obviously). We will get someone to look at this and provide you details.
The time zone on the support portal as per your profile settings