Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 18 replies
  • Subscribers 1 subscriber
  • Views 26647 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos SMTP Relay issues - Exchange

GZgidnick
Hi guys, 

Me, back with another thread.

My small lab is growing steadily recently with Sophos taking the lead.

I use the Sophos as SMTP Relay for Exchange 2010.

The Sophos is setup:
Routing > Allowed domain
Routing by static host > Exchange
Hostbased Relay > Exchange 
Authenticated relay > Username (defined in sophos)
SMTP hostname > Sophos FQDN
Dataprotection, Antispam and Antivirus tweaked as needed.

The Exchange:
Hub trunsport > Custom
Route Mail > *
Smart Host > IP.SO.PH.OS
Basic TLS Auth > Username (defined in sophos)

I've been able to route emails with the current setup until recently updated the certificate on the Exchange.

No from the Sophos SMTP live logs I am getting:
2014:08:09-01:10:15 remote exim-in[5175]: 2014-08-09 01:10:15 exim 4.76 daemon started: pid=5175, no queue runs, listening for SMTP on port 25 (IPv4) port 587 (IPv4) and for SMTPS on port 465 (IPv4)
2014:08:09-01:10:47 remote exim-in[5175]: 2014-08-09 01:10:47 SMTP connection from [192.168.0.30]:18030 (TCP/IP connection count = 1)
2014:08:09-01:10:47 remote exim-in[11483]: 2014-08-09 01:10:47 SMTP connection from [192.168.0.30]:18030 closed by QUIT

And from the Exchange logs, for the queued emails I am getting:
The last attempt to send the message was at 8/9/2014 12:57:29 AM (UTC+10:00) Canberra, Melbourne, Sydney and generated the error '451 4.4.0 Primary target IP address responded with: "454 4.7.5 Certificate validation failure." Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate hosts.'.

Reseting Sophos/Exchange didn't help. Exchange works fine without relay and/or without TLS authentication.

Why did the Sophos broke? I never installed/accepted SSL cert on the Sophos....


This thread was automatically locked due to age.
Parents
  • 0
    Here we go with the results:
    2014-08-11T09:59:40.033Z,SophosRelay,08D182A1B8491B97,0,,192.168.0.1:25,*,,attempting to connect
    2014-08-11T09:59:40.039Z,SophosRelay,08D182A1B8491B97,1,192.168.0.30:33908,192.168.0.1:25,+,,
    2014-08-11T09:59:40.048Z,SophosRelay,08D182A1B8491B97,2,192.168.0.30:33908,192.168.0.1:25,,EHLO exchange.innercomms.com,
    2014-08-11T09:59:40.052Z,SophosRelay,08D182A1B8491B97,4,192.168.0.30:33908,192.168.0.1:25,,STARTTLS,
    2014-08-11T09:59:40.085Z,SophosRelay,08D182A1B8491B97,11,192.168.0.30:33908,192.168.0.1:25,11T09:59:40.132Z,SophosRelay,08D182A1B8491B97,14,192.168.0.30:33908,192.168.0.1:25,*,SubjectMismatch,Chain validation status
    2014-08-11T09:59:40.134Z,SophosRelay,08D182A1B8491B97,15,192.168.0.30:33908,192.168.0.1:25,>,QUIT,
    2014-08-11T09:59:40.136Z,SophosRelay,08D182A1B8491B97,16,192.168.0.30:33908,192.168.0.1:25,Performed 3 test which resulted in failure:
    1. Using TLS on Exchange & Sophos. Certificate selected 'Local X509' VPNId[hostname] = Sophos 
    Sophos smarthost has been configured using FQDN sophos.innercomms.com
    2. Using TLS on Exchange & Sophos. Certificate selected 'smtp X509' which is in fact the Sophos account used for SMTP authentication purposes.
    3. Using TLS on Exchange & Sophos. New certificate created 'remote X509' VPNId[hostname] = Remote

    Performed one successful test.
    - Exchange Send Connector has been configured with Basic Authentication only. (No TLS)
    - Sophos: SMTP > Advanced: "Skip TLS Negotiation Hosts" = EXCHANGE

    2014-08-11T10:24:28.160Z,SophosRelay,08D182A1B8491BA7,0,,192.168.0.1:25,*,,attempting to connect
    2014-08-11T10:24:28.169Z,SophosRelay,08D182A1B8491BA7,1,192.168.0.30:19159,192.168.0.1:25,+,,
    2014-08-11T10:24:28.192Z,SophosRelay,08D182A1B8491BA7,2,192.168.0.30:19159,192.168.0.1:25,,EHLO exchange.innercomms.com,
    2014-08-11T10:24:28.197Z,SophosRelay,08D182A1B8491BA7,4,192.168.0.30:19159,192.168.0.1:25,11T10:24:28.197Z,SophosRelay,08D182A1B8491BA7,7,192.168.0.30:19159,192.168.0.1:25,
    2014-08-11T10:24:28.197Z,SophosRelay,08D182A1B8491BA7,8,192.168.0.30:19159,192.168.0.1:25,,STARTTLS,
    2014-08-11T10:24:28.227Z,SophosRelay,08D182A1B8491BA7,11,192.168.0.30:19159,192.168.0.1:25,11T10:24:28.268Z,SophosRelay,08D182A1B8491BA7,12,192.168.0.30:19159,192.168.0.1:25,*,,Received certificate
    2014-08-11T10:24:28.269Z,SophosRelay,08D182A1B8491BA7,13,192.168.0.30:19159,192.168.0.1:25,*,EA19F390ED7FE516190E5E09611B53354E380511,Certificate thumbprint
    2014-08-11T10:24:28.269Z,SophosRelay,08D182A1B8491BA7,14,192.168.0.30:19159,192.168.0.1:25,>,EHLO exchange.innercomms.com,
    2014-08-11T10:24:28.281Z,SophosRelay,08D182A1B8491BA7,15,192.168.0.30:19159,192.168.0.1:25,11T10:24:28.282Z,SophosRelay,08D182A1B8491BA7,20,192.168.0.30:19159,192.168.0.1:25,>,AUTH LOGIN,
    2014-08-11T10:24:28.299Z,SophosRelay,08D182A1B8491BA7,21,192.168.0.30:19159,192.168.0.1:25,,
    2014-08-11T10:24:28.299Z,SophosRelay,08D182A1B8491BA7,22,192.168.0.30:19159,192.168.0.1:25,>,,
    2014-08-11T10:24:28.307Z,SophosRelay,08D182A1B8491BA7,23,192.168.0.30:19159,192.168.0.1:25,,
    2014-08-11T10:24:28.307Z,SophosRelay,08D182A1B8491BA7,24,192.168.0.30:19159,192.168.0.1:25,>,,
    2014-08-11T10:24:28.356Z,SophosRelay,08D182A1B8491BA7,25,192.168.0.30:19159,192.168.0.1:25,

    As per the log, Sophos still tries to negotiate TLS with EXCHANGE but allows to authenticate using PLAIN AUTH only due to the setting above, which instructs it to skip TLS for the given Host (Exchange)
Reply
  • 0
    Here we go with the results:
    2014-08-11T09:59:40.033Z,SophosRelay,08D182A1B8491B97,0,,192.168.0.1:25,*,,attempting to connect
    2014-08-11T09:59:40.039Z,SophosRelay,08D182A1B8491B97,1,192.168.0.30:33908,192.168.0.1:25,+,,
    2014-08-11T09:59:40.048Z,SophosRelay,08D182A1B8491B97,2,192.168.0.30:33908,192.168.0.1:25,,EHLO exchange.innercomms.com,
    2014-08-11T09:59:40.052Z,SophosRelay,08D182A1B8491B97,4,192.168.0.30:33908,192.168.0.1:25,,STARTTLS,
    2014-08-11T09:59:40.085Z,SophosRelay,08D182A1B8491B97,11,192.168.0.30:33908,192.168.0.1:25,11T09:59:40.132Z,SophosRelay,08D182A1B8491B97,14,192.168.0.30:33908,192.168.0.1:25,*,SubjectMismatch,Chain validation status
    2014-08-11T09:59:40.134Z,SophosRelay,08D182A1B8491B97,15,192.168.0.30:33908,192.168.0.1:25,>,QUIT,
    2014-08-11T09:59:40.136Z,SophosRelay,08D182A1B8491B97,16,192.168.0.30:33908,192.168.0.1:25,Performed 3 test which resulted in failure:
    1. Using TLS on Exchange & Sophos. Certificate selected 'Local X509' VPNId[hostname] = Sophos 
    Sophos smarthost has been configured using FQDN sophos.innercomms.com
    2. Using TLS on Exchange & Sophos. Certificate selected 'smtp X509' which is in fact the Sophos account used for SMTP authentication purposes.
    3. Using TLS on Exchange & Sophos. New certificate created 'remote X509' VPNId[hostname] = Remote

    Performed one successful test.
    - Exchange Send Connector has been configured with Basic Authentication only. (No TLS)
    - Sophos: SMTP > Advanced: "Skip TLS Negotiation Hosts" = EXCHANGE

    2014-08-11T10:24:28.160Z,SophosRelay,08D182A1B8491BA7,0,,192.168.0.1:25,*,,attempting to connect
    2014-08-11T10:24:28.169Z,SophosRelay,08D182A1B8491BA7,1,192.168.0.30:19159,192.168.0.1:25,+,,
    2014-08-11T10:24:28.192Z,SophosRelay,08D182A1B8491BA7,2,192.168.0.30:19159,192.168.0.1:25,,EHLO exchange.innercomms.com,
    2014-08-11T10:24:28.197Z,SophosRelay,08D182A1B8491BA7,4,192.168.0.30:19159,192.168.0.1:25,11T10:24:28.197Z,SophosRelay,08D182A1B8491BA7,7,192.168.0.30:19159,192.168.0.1:25,
    2014-08-11T10:24:28.197Z,SophosRelay,08D182A1B8491BA7,8,192.168.0.30:19159,192.168.0.1:25,,STARTTLS,
    2014-08-11T10:24:28.227Z,SophosRelay,08D182A1B8491BA7,11,192.168.0.30:19159,192.168.0.1:25,11T10:24:28.268Z,SophosRelay,08D182A1B8491BA7,12,192.168.0.30:19159,192.168.0.1:25,*,,Received certificate
    2014-08-11T10:24:28.269Z,SophosRelay,08D182A1B8491BA7,13,192.168.0.30:19159,192.168.0.1:25,*,EA19F390ED7FE516190E5E09611B53354E380511,Certificate thumbprint
    2014-08-11T10:24:28.269Z,SophosRelay,08D182A1B8491BA7,14,192.168.0.30:19159,192.168.0.1:25,>,EHLO exchange.innercomms.com,
    2014-08-11T10:24:28.281Z,SophosRelay,08D182A1B8491BA7,15,192.168.0.30:19159,192.168.0.1:25,11T10:24:28.282Z,SophosRelay,08D182A1B8491BA7,20,192.168.0.30:19159,192.168.0.1:25,>,AUTH LOGIN,
    2014-08-11T10:24:28.299Z,SophosRelay,08D182A1B8491BA7,21,192.168.0.30:19159,192.168.0.1:25,,
    2014-08-11T10:24:28.299Z,SophosRelay,08D182A1B8491BA7,22,192.168.0.30:19159,192.168.0.1:25,>,,
    2014-08-11T10:24:28.307Z,SophosRelay,08D182A1B8491BA7,23,192.168.0.30:19159,192.168.0.1:25,,
    2014-08-11T10:24:28.307Z,SophosRelay,08D182A1B8491BA7,24,192.168.0.30:19159,192.168.0.1:25,>,,
    2014-08-11T10:24:28.356Z,SophosRelay,08D182A1B8491BA7,25,192.168.0.30:19159,192.168.0.1:25,

    As per the log, Sophos still tries to negotiate TLS with EXCHANGE but allows to authenticate using PLAIN AUTH only due to the setting above, which instructs it to skip TLS for the given Host (Exchange)
Children
No Data
Unfiltered HTML