Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 18 replies
  • Subscribers 1 subscriber
  • Views 26643 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos SMTP Relay issues - Exchange

GZgidnick
Hi guys, 

Me, back with another thread.

My small lab is growing steadily recently with Sophos taking the lead.

I use the Sophos as SMTP Relay for Exchange 2010.

The Sophos is setup:
Routing > Allowed domain
Routing by static host > Exchange
Hostbased Relay > Exchange 
Authenticated relay > Username (defined in sophos)
SMTP hostname > Sophos FQDN
Dataprotection, Antispam and Antivirus tweaked as needed.

The Exchange:
Hub trunsport > Custom
Route Mail > *
Smart Host > IP.SO.PH.OS
Basic TLS Auth > Username (defined in sophos)

I've been able to route emails with the current setup until recently updated the certificate on the Exchange.

No from the Sophos SMTP live logs I am getting:
2014:08:09-01:10:15 remote exim-in[5175]: 2014-08-09 01:10:15 exim 4.76 daemon started: pid=5175, no queue runs, listening for SMTP on port 25 (IPv4) port 587 (IPv4) and for SMTPS on port 465 (IPv4)
2014:08:09-01:10:47 remote exim-in[5175]: 2014-08-09 01:10:47 SMTP connection from [192.168.0.30]:18030 (TCP/IP connection count = 1)
2014:08:09-01:10:47 remote exim-in[11483]: 2014-08-09 01:10:47 SMTP connection from [192.168.0.30]:18030 closed by QUIT

And from the Exchange logs, for the queued emails I am getting:
The last attempt to send the message was at 8/9/2014 12:57:29 AM (UTC+10:00) Canberra, Melbourne, Sydney and generated the error '451 4.4.0 Primary target IP address responded with: "454 4.7.5 Certificate validation failure." Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate hosts.'.

Reseting Sophos/Exchange didn't help. Exchange works fine without relay and/or without TLS authentication.

Why did the Sophos broke? I never installed/accepted SSL cert on the Sophos....


This thread was automatically locked due to age.
  • 0
    Is there really over 13 minutes difference in the clocks, or are the SMTP lines from a different conversation?

    There must be a problem with the new Exchange cert, but I can't guess what that might be from the data presented.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    Search your Exchange SMTP Send log file for "Chain validation status" message and post here several lines from that Exchange/UTM communication, like:

    [FONT="Courier New"]2014-08-09T06:18:10.175Z,SMTP out,08D1819E2EC3A58B,11,10.1.9.34:62459,10.1.9.1:25,2014-08-09T06:18:10.190Z,SMTP out,08D1819E2EC3A58B,14,10.1.9.34:62459,10.1.9.1:25,*,SubjectMismatch,Chain validation status
    2014-08-09T06:18:10.190Z,SMTP out,08D1819E2EC3A58B,15,10.1.9.34:62459,10.1.9.1:25,>,QUIT,[/FONT]
  • 0
    Hi boys (Zdravo Vilic)

    Exactly as you said, I found the same error message in the Exchange logs
    #Software: Microsoft Exchange Server
    #Version: 14.0.0.0
    #Log-type: SMTP Send Protocol Log
    #Date: 2014-08-10T11:51:18.586Z
    #Fields: date-time,connector-id,session-id,sequence-number,local-endpoint,remote-endpoint,event,data,context
    2014-08-10T11:51:18.586Z,sophos relay,08D182A1B8491A83,0,,192.168.0.1:25,*,,attempting to connect
    2014-08-10T11:51:18.644Z,sophos relay,08D182A1B8491A83,1,192.168.0.30:30407,192.168.0.1:25,+,,
    2014-08-10T11:51:18.681Z,sophos relay,08D182A1B8491A83,2,192.168.0.30:30407,192.168.0.1:25,,EHLO exchange.*********.com,
    2014-08-10T11:51:18.684Z,sophos relay,08D182A1B8491A83,4,192.168.0.30:30407,192.168.0.1:25,,STARTTLS,
    2014-08-10T11:51:18.694Z,sophos relay,08D182A1B8491A83,11,192.168.0.30:30407,192.168.0.1:25,relay,08D182A1B8491A83,14,192.168.0.30:30407,192.168.0.1:25,*,SubjectMismatch,Chain validation status
    2014-08-10T11:51:19.041Z,sophos relay,08D182A1B8491A83,15,192.168.0.30:30407,192.168.0.1:25,>,QUIT,
    2014-08-10T11:51:19.044Z,sophos relay,08D182A1B8491A83,16,192.168.0.30:30407,192.168.0.1:25,
  • 0
    Are you 100% sure that it ever worked...[;)] ?

    I've succesfully tested that scenario in my lab environment, and also had several problems but finally managed it to work. Hints:

    1. UTM: 
    a. In SMTP --> Advanced, check which TLS certificate is listed.
    b. In Remote Access --> Certificate Management, find that certificate and take note of "VPNId [Hostname]" and "Fingerprint" values.

    2. Exchange server: 
    a. Make sure that your Exchange is correctly resolving "VPNId [Hostname]" to the internal IP address of Sophos UTM. If not, edit the Hosts file manually.
    b. In Send Connector properties replace UTM IP address with the "VPNId [Hostname]" value.

    Instead of Subject Mismatch, now your Exchange log should show "Valid,Chain validation status" with thumbprint value matching UTM's Fingerprint value, and below that information about UTM SSL certificate.
  • 0
    Here we go with the results:
    2014-08-11T09:59:40.033Z,SophosRelay,08D182A1B8491B97,0,,192.168.0.1:25,*,,attempting to connect
    2014-08-11T09:59:40.039Z,SophosRelay,08D182A1B8491B97,1,192.168.0.30:33908,192.168.0.1:25,+,,
    2014-08-11T09:59:40.048Z,SophosRelay,08D182A1B8491B97,2,192.168.0.30:33908,192.168.0.1:25,,EHLO exchange.innercomms.com,
    2014-08-11T09:59:40.052Z,SophosRelay,08D182A1B8491B97,4,192.168.0.30:33908,192.168.0.1:25,,STARTTLS,
    2014-08-11T09:59:40.085Z,SophosRelay,08D182A1B8491B97,11,192.168.0.30:33908,192.168.0.1:25,11T09:59:40.132Z,SophosRelay,08D182A1B8491B97,14,192.168.0.30:33908,192.168.0.1:25,*,SubjectMismatch,Chain validation status
    2014-08-11T09:59:40.134Z,SophosRelay,08D182A1B8491B97,15,192.168.0.30:33908,192.168.0.1:25,>,QUIT,
    2014-08-11T09:59:40.136Z,SophosRelay,08D182A1B8491B97,16,192.168.0.30:33908,192.168.0.1:25,Performed 3 test which resulted in failure:
    1. Using TLS on Exchange & Sophos. Certificate selected 'Local X509' VPNId[hostname] = Sophos 
    Sophos smarthost has been configured using FQDN sophos.innercomms.com
    2. Using TLS on Exchange & Sophos. Certificate selected 'smtp X509' which is in fact the Sophos account used for SMTP authentication purposes.
    3. Using TLS on Exchange & Sophos. New certificate created 'remote X509' VPNId[hostname] = Remote

    Performed one successful test.
    - Exchange Send Connector has been configured with Basic Authentication only. (No TLS)
    - Sophos: SMTP > Advanced: "Skip TLS Negotiation Hosts" = EXCHANGE

    2014-08-11T10:24:28.160Z,SophosRelay,08D182A1B8491BA7,0,,192.168.0.1:25,*,,attempting to connect
    2014-08-11T10:24:28.169Z,SophosRelay,08D182A1B8491BA7,1,192.168.0.30:19159,192.168.0.1:25,+,,
    2014-08-11T10:24:28.192Z,SophosRelay,08D182A1B8491BA7,2,192.168.0.30:19159,192.168.0.1:25,,EHLO exchange.innercomms.com,
    2014-08-11T10:24:28.197Z,SophosRelay,08D182A1B8491BA7,4,192.168.0.30:19159,192.168.0.1:25,11T10:24:28.197Z,SophosRelay,08D182A1B8491BA7,7,192.168.0.30:19159,192.168.0.1:25,
    2014-08-11T10:24:28.197Z,SophosRelay,08D182A1B8491BA7,8,192.168.0.30:19159,192.168.0.1:25,,STARTTLS,
    2014-08-11T10:24:28.227Z,SophosRelay,08D182A1B8491BA7,11,192.168.0.30:19159,192.168.0.1:25,11T10:24:28.268Z,SophosRelay,08D182A1B8491BA7,12,192.168.0.30:19159,192.168.0.1:25,*,,Received certificate
    2014-08-11T10:24:28.269Z,SophosRelay,08D182A1B8491BA7,13,192.168.0.30:19159,192.168.0.1:25,*,EA19F390ED7FE516190E5E09611B53354E380511,Certificate thumbprint
    2014-08-11T10:24:28.269Z,SophosRelay,08D182A1B8491BA7,14,192.168.0.30:19159,192.168.0.1:25,>,EHLO exchange.innercomms.com,
    2014-08-11T10:24:28.281Z,SophosRelay,08D182A1B8491BA7,15,192.168.0.30:19159,192.168.0.1:25,11T10:24:28.282Z,SophosRelay,08D182A1B8491BA7,20,192.168.0.30:19159,192.168.0.1:25,>,AUTH LOGIN,
    2014-08-11T10:24:28.299Z,SophosRelay,08D182A1B8491BA7,21,192.168.0.30:19159,192.168.0.1:25,,
    2014-08-11T10:24:28.299Z,SophosRelay,08D182A1B8491BA7,22,192.168.0.30:19159,192.168.0.1:25,>,,
    2014-08-11T10:24:28.307Z,SophosRelay,08D182A1B8491BA7,23,192.168.0.30:19159,192.168.0.1:25,,
    2014-08-11T10:24:28.307Z,SophosRelay,08D182A1B8491BA7,24,192.168.0.30:19159,192.168.0.1:25,>,,
    2014-08-11T10:24:28.356Z,SophosRelay,08D182A1B8491BA7,25,192.168.0.30:19159,192.168.0.1:25,

    As per the log, Sophos still tries to negotiate TLS with EXCHANGE but allows to authenticate using PLAIN AUTH only due to the setting above, which instructs it to skip TLS for the given Host (Exchange)
  • 0
    Reason for Subject Mismatch error is that Exchange smart host settings MUST use exactly the same name like it is in UTM certificate. 
    If the name in the certificate is "Sophos" than it is wrong to configure "sophos.mydomain.com", although that record also point to the internal UTM IP address.

    Here is the screenshot of the Exchange log file in my environment. I used the public certificate that was imported in Sophos for reverse proxy publishing. I will test it later with self-signed certificate.

    I have also changed SMTP hostname to be exactly the same like the name in the certificate, not sure if that was necessary.
  • 0
    Just created new certificate on the sophos using the FQDN: remote.innercomms.com
    The same FQDN is used as the SMTP hostname
    The same FQDN is used as the Exchange Smarthost.

    On the Sophos, Exchange has been removed from the Skip TLS List.
    I can relay messages from Exchange to Sophos successfully if the "Negotiate TLS authentication" is switched off for the Exchange send connector.

    As soon as I switch on  "Negotiate TLS authentication" on the send exchange connector, the messages are being queued, but now with different error message!

    2014-08-11T11:14:59.437Z,SophosRelay,08D182A1B8491BB8,0,,192.168.0.1:25,*,,attempting to connect
    2014-08-11T11:14:59.445Z,SophosRelay,08D182A1B8491BB8,1,192.168.0.30:7856,192.168.0.1:25,+,,
    2014-08-11T11:14:59.495Z,SophosRelay,08D182A1B8491BB8,2,192.168.0.30:7856,192.168.0.1:25,,EHLO exchange.innercomms.com,
    2014-08-11T11:14:59.505Z,SophosRelay,08D182A1B8491BB8,4,192.168.0.30:7856,192.168.0.1:25,,STARTTLS,
    2014-08-11T11:14:59.535Z,SophosRelay,08D182A1B8491BB8,11,192.168.0.30:7856,192.168.0.1:25,11T11:14:59.591Z,SophosRelay,08D182A1B8491BB8,14,192.168.0.30:7856,192.168.0.1:25,*,UntrustedRoot,Chain validation status
    2014-08-11T11:14:59.593Z,SophosRelay,08D182A1B8491BB8,15,192.168.0.30:7856,192.168.0.1:25,>,QUIT,
    2014-08-11T11:14:59.606Z,SophosRelay,08D182A1B8491BB8,16,192.168.0.30:7856,192.168.0.1:25,
  • 0
    Much better..[:)]

    Now you should import UTM CA certificate into Trusted Root Authorities certification store on your Exchange server (Computer, not User store).
  • 0
    Imported the certificate but still getting:
    2014-08-11T11:55:01.135Z,SophosRelay,08D182A1B8491BC7,14,192.168.0.30:58430,192.168.0.1:25,*,UntrustedRoot,Chain validation status
  • 0
    I will test it in my lab environment and will post back results later today or tomorrow.

    What is happening when you export that certificate from UTM in PEM format, rename it to CER extension and then open it on your Exchange server? 
    Look at the Certification Path tab and under that Cetificate status (post a screenshot ?).
Unfiltered HTML