This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Relay not permitted DROP in ACL

hi altogether, 

I have a problem which I am trying to solve all day long now. I have setup SMTP Protection and outbound it works perfectly - inbound no chance to make it running - I always receive this error message:

2021:06:16-16:45:18 core exim-in[5643]: 2021-06-16 16:45:18 SMTP connection from [178.x.x.x]:55240 (TCP/IP connection count = 1)

2021:06:16-16:45:18 core exim-in[30965]: 2021-06-16 16:45:18 H=mail.x.x [178.x.x.x]:55240 X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no F=<a.b@c.d rejected RCPT <administrator@d.f>: Relay not permitted
2021:06:16-16:45:18 core exim-in[30965]: 2021-06-16 16:45:18 SMTP connection from mail.x.x [178.x.x.x]:55240 closed by DROP in ACL
when I implement a NAT rule which sends the traffic directly to Exchange, everything works - so the error has to be on the Sophos UTM. I have tried multiple settings in the relay tab with no result. Right now I only have the internal ip of the Exchange with rdns on the official DNS at the Host Based Relay Tab under Allowed / Hosts Network. 
Does anyone has an idea what the reason for this could be?

Thank you very much in advance, 
best regards, 

Bernhard


This thread was automatically locked due to age.
  • FormerMember
    0 FormerMember

    Hi ,

    Thank you for reaching out to the Community!
    What did you configure under Email Protection > SMTP > Domains? If you added *company.com, then remove the * and save the configuration and let us know if that helps.

    Thanks,

  • Hi Harsh, 

    thanks for your response - I have read all threads I was able to find about this topic. And of course I don't use the * in my domains. That is the reason why I wrote here, I tried to find a solution all day with this forum, other sources (like Frankysweb from Germany). 

    And as you can see, inbound outbound traffic works (at least with NAT rule) but I just would like to get that inbound mails also checked. 

    My personal suspicion is the weird setup of ip addresses and nets with Hetzner provider. I have a public ip where my ESXI is reachable - over this ip there is another subnet routed - the one where my sophos lies and behind the sophos there is my Exchange. And I am pretty sure that might be the reason but all of my ideas didn't help with IP Adresses as allowed relay or whatsoever.

    Maybe somebody has a great idea to help me?

    TIA Bernhard

  • hi altogether, 

    today, once again I tried to localise the problem - and I went one step ahead. I know this is a no go but when I put "ANY" into SMTP - Relaying - Host-based Relay - Allowd Hosts / Networks then emails are being sent to my mailboxes on the Exchange. 

    Somehow now I don't have a clue on how to solve this problem?! Unfortunately I am not really deep into Exchange, Relaying etc.

    May somebody can help me on this one please?

    TIA Bernhard

  • Hallo Bernhard,

    At the bottom of the 'Antispam' tab, unselect 'Perform SPF check' and try again.  If this now works, my guess is that you have a DNS configuration problem.  If so, show us a picture of the 'DNS Forwarders' section.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • hi Bob, thanks for this advice - I just disabled the SPF check, unfortunately this did not solve the problem. Do you have any other ideas? :-(

    THanks in advance, best regards, Bernhard

  • There are lines like the following in the log when I see valid "Relay not permitted" rejections:

    2021:06:20-17:00:35 secure exim-in[5186]: 2021-06-20 17:00:35 SMTP connection from [77.247.110.69]:49589 (TCP/IP connection count = 1)
    2021:06:20-17:00:38 secure exim-in[27153]: 2021-06-20 17:00:38 H=(admin-pc.domain) [77.247.110.69]:49589 F=<test@amazonaws.com> rejected RCPT <test@gmail.com>: Relay not permitted
    2021:06:20-17:00:38 secure exim-in[27153]: 2021-06-20 17:00:38 SMTP connection from (admin-pc.domain) [77.247.110.69]:49589 closed by DROP in ACL

    From my archived notes: The following is my understanding based on experience.  First, the SMTP Proxy starts threads to check SPF, RBLs and RDNS.  Next the MAIL FROM command announces the sender.  Next, the RCPT TO commands announce the recipients.  The Proxy now examines the exceptions to see if the message qualifies for any Exceptions.  If the sender is not blacklisted and a valid recipient is present and SPF, RBL and RDNS checks are passed or a fail is in an Exception, the DATA command allows the headers and content of the email to be received, otherwise, the message is rejected.  Depending on your Exceptions, anti-spam and anti-virus settings, received mails are either delivered, quarantined or rejected.

    Since there are only three lines and no mention of SPF or RBL rejection in the log extract above, I assume that the connection failed RDNS, so the other thing to try would be to NOT select 'Do strict RDNS checks'.

    If you're still having an issue, I would get a case open with Sophos Support as someone needs to put eyes on logs that aren't obfuscated.  Please let us know what they find.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Bernhard PM'd me that he's a home user, so cannot open a ticket with Sophos.  He sent me the unobfuscated lines from his first post.  My best guess now is that the domain in the recipient address, administrator@d.f, is not a domain that the SMTP Proxy is configured to handle.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob, 

    again thanks for your replay - I have just checked this and obviously both domains (the ones you know) are in the domain list - without asterisk at the beginning. 

    If that would be the reason my logic would be wrong because when I put another email server ip address in the allowed hosts tab then the reception of emails from this mail server works as I wrote you in the pm today. 

    Does anybody have another idea to solve that problem?

    Thanks in advance to all, best regards

    Bernhard

  • hi Adam, 

    as far as I can verify all the SPF tests are ok on my domain?!

    BR Bernhard