Thread Info
  • Locked Locked
  • Replies 2 replies
  • Subscribers 2 subscribers
  • Views 3632 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Several problems on receiving mails through UTM

apijnappels

This morning I changed our MX records back from our UTM directly to Office365's. We've had several problems over the past few weeks which have led me to do this.

It al started a while ago when mails with normal MS-office attachments (docx, xlsx) got quarantined incorrectly being recognized as macro enabled document (more specifically for word files application/vnd.ms-word.document.macroEnabled.12)

Of course documents that do have macro's should be sent to quarantine and that is configured.

We have called this problem to our supplier, who passed it to Sophos. Sophos made us a fix which resulted in documents being again correctly identified, problem solved.

** HOWEVER **

After the fix had been applied, mails sent from Gmail to our domains would sometimes be delivered and sometimes not. When a mail would not be deliverd, the sender would get a NDR with the message: "read error: generic::failed_precondition: read error (0): error"

We again contacted our supplier and Sophos advised us to put "any" in the 'Skip TLS Negotiation Hosts/Nets' setting of Email protection -> SMTP -> advanced. The result was that every Gmail mail was again correctly delivered to our domain.

** BUT **

Now mails sent from our domains to Gmail addresses would not be delivered anymore to Gmail at all. In our Office365 message trace I was able to find the following:

Server at <our mx server> (83.xxx.xxx.xxx) returned '450 4.4.317 Cannot connect to remote server [Message=451 5.7.3 STARTTLS is required to send mail]

So, when we are sending a mail directly from Office365 to Gmail, Gmail will first contact our MX-server back (and requires STARTTLS, but Sophos told us to Skip TLS negotiation for any and thus no negotiation). While the contact back fails, Gmail will hold the mail for a short period of time, trying to again deliver it, but eventually fails resulting in an NDR.

Long story short:

I have now configured our MX directly to Office365 and have also removed the Skip TLS negotiation for any. Mails seem to flow okay now, so that's a big headache gone. However now we have a lot less checking (no more Sophos checking every incoming mail, no more sandstorm).

Anyone having the same experience or better know of a solution of any kind?



This thread was automatically locked due to age.
Parents

  • Just curious, Arno - did you try using the Office 365 Secure Mail Flow features instead of using the SMTP Proxy?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • in reply to BAlfson

    Bob, seems we had some strange mail flow where not only some "friendly" maildomains, but also gmail.com domain was configured to be routed to our UTM. That's why mail sent to Gmail would first be routed to our Sophos SMTP gateway and then Gmail didn't accept it because there was no TLS configured.

    We have now removed gmail from this list so that it will again be directly delivered by O365. I will monitor the mailflow now for some time and then try to see what happens when we change back the MX-records to UTM.

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

Reply
  • in reply to BAlfson

    Bob, seems we had some strange mail flow where not only some "friendly" maildomains, but also gmail.com domain was configured to be routed to our UTM. That's why mail sent to Gmail would first be routed to our Sophos SMTP gateway and then Gmail didn't accept it because there was no TLS configured.

    We have now removed gmail from this list so that it will again be directly delivered by O365. I will monitor the mailflow now for some time and then try to see what happens when we change back the MX-records to UTM.

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

Children
No Data
Unfiltered HTML