This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Outbound mails fail with greylisting - no second attempt

As seen from the following log,

2020:06:08-20:23:35 firewall-2 exim-in[26476]: 2020-06-08 20:23:35 [10.0.1.3] F=<SENDER@HERE> R=<RECIPIENT@THERE> Accepted: from relay
2020:06:08-20:23:40 firewall-2 smtpd[26500]: SCANNER[26500]: id="1000" severity="info" sys="SecureMail" sub="smtp" name="email passed" srcip="10.x.x.x" from="SENDER@HERE" to="RECIPIENT@THERE" subject="AW: Yada yada yada" queueid="1jiMQu-0006tQ-7K" size="115036"
2020:06:08-20:23:45 firewall-2 exim-out[26506]: 2020-06-08 20:23:45 1jiMQu-0006tQ-7K SMTP error from remote mail server after RCPT TO:<RECIPIENT@THERE>: host mx02.THERE [164.x.x.x]: 451 4.7.1 Greylisting in action, please come back later
2020:06:08-20:23:50 firewall-2 exim-out[26502]: 2020-06-08 20:23:50 1jiMQu-0006tQ-7K == RECIPIENT@THERE R=dnslookup T=remote_smtp defer (-44): SMTP error from remote mail server after RCPT TO:<RECIPIENT@THERE>: host mx01.THERE [164.y.y.y]: 451 4.7.1 Greylisting in action, please come back later
2020:06:08-20:23:50 firewall-2 exim-out[26502]: 2020-06-08 20:23:50 1jiMQu-0006tQ-7K ** RECIPIENT@THERE: retry timeout exceeded

The firewall tried to forward the mail within a few seconds after receiving it internally, trying both remote MTAs and being (temporarily) rejected by both according to greylisting. After that, i.e., only 10 seconds after submission and the reason given is "timeout"

Expected behaviour: Retry after a few minutes and the timeout should be 3 days, not just a few seconds.

What's wrong here?

(retry config excerpt:)

*         * F,2h,2m; G,16h,1h,1.5; F,3d,6h

 

What's wrong here?

 

 



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Hi  

    Thank you for reaching out to the Community! 

    From the UTM help page:

    "Use greylisting: Greylisting basically means the temporary rejection of emails for a certain amount of time. Typically, a mail server using greylisting will record the following pieces of information for all incoming messages:

    • The sender address
    • The IP Closed address of the host the message is sent from
    • The recipient address
    • The message subject

    This data set is checked against the SMTP proxy's internal database; if the data set has not been seen before, a record is created in the database along with a special timestamp describing it. This data set causes the email to be rejected for a period of five minutes. After that time the data set is known to the proxy and the message will be accepted when it is sent again. Note that the data set will expire after 30 days if it is not updated within this period.
    Greylisting uses the fact that most senders of spam messages use software based on the "fire-and-forget" method: Try to deliver the mail and if it doesn’t work, forget it! This means that senders of spam mail do not try to send emails again when there is a temporary failure, contrary to Closed-conform mail servers. The assumption is that since temporary failures are built into the RFC specifications for email delivery, a legitimate server will try again to send the email later, at which time the destination will accept it."

    Did the sender server try to retry sending the original email as it failed temporarily due to the greylisting configuration on your UTM?

    Thanks,

  • Apparently I have to make a summary of my initial post if it was that unclear:

    The problem is not about our Sophos UTM using greylisting against incoming mail.

    The problem is about our Sophos UTM failing to deliver outboud mail when the receiving end uses greylisting.

    Indeed, I expected that "a legitimate server will try again to send the email later," -- but Sophos UTM did exactly this NOT.

    Within 10 seconds of the outbound mail being queued, Sophos UTM attempted delivery to the two MTAs of the remote side (which both resulted in a temporary error due to grelisting) and then immediately bounced the mail.

    Observed behaviour: Mail bounced after one initial attempt per remote MX

    Expected behaviour: Retry outbound delivery a few minutes later

  • Hello hagman_01,

    Thank you for the clarification.

    Yes the UTM should try to resend the email after 5 minutes, then try again and if it fails double the time and try again and so on until it reaches 5 days.

    Would you mind sharing the SMTP logs via DM.

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
Reply Children
No Data