Relay not permitted DROP in ACL

Hi Bernhard Held,

Thank you for reaching out to the Community!
What did you configure under Email Protection > SMTP > Domains? If you added *company.com, then remove the * and save the configuration and let us know if that helps.

Thanks,

Hi Harsh, 

thanks for your response - I have read all threads I was able to find about this topic. And of course I don't use the * in my domains. That is the reason why I wrote here, I tried to find a solution all day with this forum, other sources (like Frankysweb from Germany). 

And as you can see, inbound outbound traffic works (at least with NAT rule) but I just would like to get that inbound mails also checked. 

My personal suspicion is the weird setup of ip addresses and nets with Hetzner provider. I have a public ip where my ESXI is reachable - over this ip there is another subnet routed - the one where my sophos lies and behind the sophos there is my Exchange. And I am pretty sure that might be the reason but all of my ideas didn't help with IP Adresses as allowed relay or whatsoever.

Maybe somebody has a great idea to help me?

TIA Bernhard

hi altogether, 

today, once again I tried to localise the problem - and I went one step ahead. I know this is a no go but when I put "ANY" into SMTP - Relaying - Host-based Relay - Allowd Hosts / Networks then emails are being sent to my mailboxes on the Exchange. 

Somehow now I don't have a clue on how to solve this problem?! Unfortunately I am not really deep into Exchange, Relaying etc.

May somebody can help me on this one please?

TIA Bernhard

Hallo Bernhard,

At the bottom of the 'Antispam' tab, unselect 'Perform SPF check' and try again.  If this now works, my guess is that you have a DNS configuration problem.  If so, show us a picture of the 'DNS Forwarders' section.

Cheers - Bob

hi Bob, thanks for this advice - I just disabled the SPF check, unfortunately this did not solve the problem. Do you have any other ideas? :-(

THanks in advance, best regards, Bernhard

There are lines like the following in the log when I see valid "Relay not permitted" rejections:

2021:06:20-17:00:35 secure exim-in[5186]: 2021-06-20 17:00:35 SMTP connection from [77.247.110.69]:49589 (TCP/IP connection count = 1)
2021:06:20-17:00:38 secure exim-in[27153]: 2021-06-20 17:00:38 H=(admin-pc.domain) [77.247.110.69]:49589 F=<test@amazonaws.com> rejected RCPT <test@gmail.com>: Relay not permitted
2021:06:20-17:00:38 secure exim-in[27153]: 2021-06-20 17:00:38 SMTP connection from (admin-pc.domain) [77.247.110.69]:49589 closed by DROP in ACL

From my archived notes: The following is my understanding based on experience.  First, the SMTP Proxy starts threads to check SPF, RBLs and RDNS.  Next the MAIL FROM command announces the sender.  Next, the RCPT TO commands announce the recipients.  The Proxy now examines the exceptions to see if the message qualifies for any Exceptions.  If the sender is not blacklisted and a valid recipient is present and SPF, RBL and RDNS checks are passed or a fail is in an Exception, the DATA command allows the headers and content of the email to be received, otherwise, the message is rejected.  Depending on your Exceptions, anti-spam and anti-virus settings, received mails are either delivered, quarantined or rejected.

Since there are only three lines and no mention of SPF or RBL rejection in the log extract above, I assume that the connection failed RDNS, so the other thing to try would be to NOT select 'Do strict RDNS checks'.

If you're still having an issue, I would get a case open with Sophos Support as someone needs to put eyes on logs that aren't obfuscated.  Please let us know what they find.

Cheers - Bob

Bernhard PM'd me that he's a home user, so cannot open a ticket with Sophos.  He sent me the unobfuscated lines from his first post.  My best guess now is that the domain in the recipient address, administrator@d.f, is not a domain that the SMTP Proxy is configured to handle.

Cheers - Bob

Hi Bob, 

again thanks for your replay - I have just checked this and obviously both domains (the ones you know) are in the domain list - without asterisk at the beginning. 

If that would be the reason my logic would be wrong because when I put another email server ip address in the allowed hosts tab then the reception of emails from this mail server works as I wrote you in the pm today. 

Does anybody have another idea to solve that problem?

Thanks in advance to all, best regards

Bernhard

hi Adam, 

as far as I can verify all the SPF tests are ok on my domain?!

BR Bernhard