Thread Info
  • State Not Answered
  • Replies 13 replies
  • Subscribers 2 subscribers
  • Views 28671 views
  • Users 0 members are here
Options
Suggested

Sophos UTM and Exchange 2016 inbound email not working

chriswallis

I am trying to test out inbound email filtering, i have set it up in non transparent mode, the routing has my two email domains setup, routed to a static host list to the internal exchange server.

having initially had issues i set up a specific frontend receive connector on exchange 

When mail comes in it get delivered. I can see from the utm mail queue that it says its queued for delivery but never gets delivered to the exchange server, i can see some emails turn up in the SMTP logs on the exchange server but don't get delivered to the mailbox.

As soon as i redirect the WAN NAT to the Exchange server mail flows properly again so its clearly interaction between the UTM and exchange 

  • 0

    Hi Chris, and welcome to the  UTM Community!

    How does your configuration compare to

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob

        thanks for replying,  i had set it to advanced to use mail profiles as it was blocking the MS connectivity site emails, other wise it matches.

    In the UTM logs i can see mail hitting it but i can't see traffic between that and the mail server either from the UTM or the exchange side. Should the relay be present in the SMTP logs when the UTM goes to exchange

    just starting to get some network captures to see if its actually trying 

  • 0 in reply to chriswallis

    further to this i setup a specific receive connector and i am getting some mails but some are going into a black hole

    The UTM say its has accepted them and can see it going through the normal SMTP steps but i can't see it hitting the exchange server

  • 0 in reply to chriswallis

    I have to admit that I'm not following your description of what you're seeing. Perhaps you could show us pictures and log lines.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    I am seeing SMTP connections coming into the UTM, be processed and then not get passed onto exchange

    here is extract 1of 2 of emails that didn't make it past the UTM and onto exchange

    2016:03:01-12:20:50 myutm exim-in[24422]: 2016-03-01 12:20:50 H=mail.test.com [xxx.xxx.xxx.xxx]]:60170 Warning: domain.com profile excludes SANDBOX scan
    2016:03:01-12:20:52 myutm exim-in[24422]: 2016-03-01 12:20:52 [xxx.xxx.xxx.xxx] F=<test.testyson@testdomain.com> R=<me@domain.com> Verifying recipient address with callout
    2016:03:01-12:20:44 myutm exim-in[5566]: 2016-03-01 12:20:44 SMTP connection from [xxx.xxx.xxx.xxx]:60170 (TCP/IP connection count = 1)
    2016:03:01-12:20:59 myutm exim-in[24422]: 2016-03-01 12:20:59 1aajIK-0006Lu-2R ctasd reports 'Unknown' RefID:str=0001.0A0B0202.56D5892B.0289:SCFMA34161327,ss=1,re=-4.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=1024
    2016:03:01-12:20:59 myutm exim-in[24422]: 2016-03-01 12:20:59 1aajIK-0006Lu-2R Greylisting: Greylisted xxx.xxx.xxx.xxx
    2016:03:01-12:20:59 myutm exim-in[24422]: [1\42] 2016-03-01 12:20:59 1aajIK-0006Lu-2R H=mail.test.com [xxx.xxx.xxx.xxx]:60170 F=<testy.testerson@testdomain.com temporarily rejected after DATA: Temporary local problem, please try again!
    2016:03:01-12:20:59 myutm exim-in[24422]: [2\42] Envelope-from: <testy.testerson@testdomain.com
    2016:03:01-12:20:59 myutm exim-in[24422]: [3\42] Envelope-to: <me@domain.com>
    2016:03:01-12:20:59 myutm exim-in[24422]: [4\42] P Received: from mail.test.com ([xxx.xxx.xxx.xxx]:60170)
    2016:03:01-12:20:59 myutm exim-in[24422]: [5\42] by UTM.domain.com with esmtps (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256)
    2016:03:01-12:20:59 myutm exim-in[24422]: [6\42] (Exim 4.82_1-5b7a7c0-XX)
    2016:03:01-12:20:59 myutm exim-in[24422]: [7\42] (envelope-from <test.testyson@testdomain.com>)
    2016:03:01-12:20:59 myutm exim-in[24422]: [8\42] id 1aajIK-0006Lu-2R
    2016:03:01-12:20:59 myutm exim-in[24422]: [9\42] for me@domain.com; Tue, 01 Mar 2016 12:20:57 +0000
    2016:03:01-12:20:59 myutm exim-in[24422]: [10\42] P Received: from DESKTOPIJKJPUI ([188.29.165.72]) by mail.test.com (mrgmx102)
    2016:03:01-12:20:59 myutm exim-in[24422]: [11\42] with ESMTPSA (Nemesis) id 0LosFD-1ZzTn73VsZ-00gllu for
    2016:03:01-12:20:59 myutm exim-in[24422]: [12\42] <me@domain.com>; Tue, 01 Mar 2016 13:20:43 +0100
    2016:03:01-12:20:59 myutm exim-in[24422]: [13\42] X-CTCH-RefID: str=0001.0A0B0202.56D5892B.0289:SCFMA34161327,ss=1,re=-4.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=1024
    2016:03:01-12:20:59 myutm exim-in[24422]: [14\42] F From: "Test Testyson" <test.testyson@testdomain.com>
    2016:03:01-12:20:59 myutm exim-in[24422]: [15\42] T To: <me@domain.com>
    2016:03:01-12:20:59 myutm exim-in[24422]: [16\42] Subject: .co.uk TEST
    2016:03:01-12:20:59 myutm exim-in[24422]: [17\42] Date: Tue, 1 Mar 2016 12:20:39 -0000
    2016:03:01-12:20:59 myutm exim-in[24422]: [18\42] I Message-ID: <003501d173b4$c6ef63e0$54ce2ba0$@gmx.com>
    2016:03:01-12:20:59 myutm exim-in[24422]: [19\42] MIME-Version: 1.0
    2016:03:01-12:20:59 myutm exim-in[24422]: [20\42] Content-Type: multipart/alternative;
    2016:03:01-12:20:59 myutm exim-in[24422]: [21\42] boundary="----=_NextPart_000_0036_01D173B4.C6F00020"
    2016:03:01-12:20:59 myutm exim-in[24422]: [22\42] X-Mailer: Microsoft Outlook 16.0
    2016:03:01-12:20:59 myutm exim-in[24422]: [23\42] Thread-Index: AdFztMIOWpyhSlZ5R5STdULyp4g4eA==
    2016:03:01-12:20:59 myutm exim-in[24422]: [24\42] Content-Language: en-gb
    2016:03:01-12:20:59 myutm exim-in[24422]: [25\42] X-Provags-ID: V03:K0:D+NyfWDJN7XpjqmBpr9+jUqEg2U57N3BHGEVWLtzIzb80eTbEyC
    2016:03:01-12:20:59 myutm exim-in[24422]: [26\42] rUcdlTi2B6t+WxZYlCP3gqn6iXl5F/ipekafjaOGMPD8SZsyu+Ii3dmW4384PEvFDyYFegB
    2016:03:01-12:20:59 myutm exim-in[24422]: [27\42] Ek8WF2PJk4gJQEc8mETRp6kD/H2auB0sc338XNsp/SZyKzkAUlGlQwVzv1+FLfd/ddNUvLE
    2016:03:01-12:20:59 myutm exim-in[24422]: [28\42] AUOGEe+dEmLteJoye+gWg==
    2016:03:01-12:20:59 myutm exim-in[24422]: [29\42] X-UI-Out-Filterresults: notjunk:1;V01:K0:8RzSZt606JE=:dx9kUDVc1SSj0KvZlrdWo7
    2016:03:01-12:20:59 myutm exim-in[24422]: [30\42] 9yOuZrzdLg8T48tIUbK3+RlXMi5vZL4xHNc2QflQXLIvf1oWoteYbCqn6zs+bfahKM5nF8FY1
    2016:03:01-12:20:59 myutm exim-in[24422]: [31\42] M57Z4l4Kh4Yknc6db/1DwWYYQC0ACWYJo+Fm+1205GuVt0Ry+jMAqh9DiOZ2kcbbwMjbnggRU
    2016:03:01-12:20:59 myutm exim-in[24422]: [32\42] 1idn2bF4cb26a+yujx3L3i2oIEZmGAudHtst7lo5q1Hp/0kaBMXCDUcILrrfQ2Bx4yecmmOqp
    2016:03:01-12:20:59 myutm exim-in[24422]: [33\42] uTSdtIOCDuS3NX9r9zw0CcnyGxAd7OVkIuNUnX7sCRZOB6IGKuIGiXbc5p0RJ5tFM9qiYduYd
    2016:03:01-12:20:59 myutm exim-in[24422]: [34\42] 3JzIYGqPw802dvDdDt7GmyoZm6wrJdQ6lXm424FMOJlWr5uajMYaZcmM4rn3yZvloVmxUSbRV
    2016:03:01-12:20:59 myutm exim-in[24422]: [35\42] Pv/0SI7CZiPYpUs4Z7RRFDJBQo6Q/cV3DxW1lsCEl+ms0omUaPBA0wspeQ2SWAYfKnvhkvgnP
    2016:03:01-12:20:59 myutm exim-in[24422]: [36\42] +woJkbZHwl802MF0KZOw+ZvL0QKG0kwrETsd+aAnUGGEDTuneASkaEcMRCjOyR/Goy7nn8IDG
    2016:03:01-12:20:59 myutm exim-in[24422]: [37\42] +evSTmAZjb9ReAdZ56/6RTxwJAcqhs/xjB6xNTsnZzvJ6h3ylNJQXhO7EcjEu56UhxrHH+0g2
    2016:03:01-12:20:59 myutm exim-in[24422]: [38\42] rAG8DDEVQqeVfzzGANrGDLOOIRnffexkANVgt2InQ94oWbz8PvUMzxc0lyGPGjrOpHgVDI1p9
    2016:03:01-12:20:59 myutm exim-in[24422]: [39\42] +DDuJmuGjrI5/0nKaA/Y3U93hWAhHJyK3BI9QrUS2xXA2hdgXM4NZnhRDqQg3x9RIiWFGJ0nl
    2016:03:01-12:20:59 myutm exim-in[24422]: [40\42] V3ixO/UVycyFaw4Wn0rTsiym74XmgTTCNjI61OHGtAdtLyMxXTvaLfUFQsZpzwYgu5Aih+Czw
    2016:03:01-12:20:59 myutm exim-in[24422]: [41\42] wyo5RqTJLCxLTRii2yZzSae82EebGJAvNNCrnaq1oW4nPwAUZNSU1LHC/g9JmLr+whFxCoMjh
    2016:03:01-12:20:59 myutm exim-in[24422]: [42/42] XaikVQDYdHmFzHwhArUA==
    2016:03:01-12:21:00 myutm exim-out[24432]: 2016-03-01 12:21:00 Start queue run: pid=24432
    2016:03:01-12:21:00 myutm exim-out[24432]: 2016-03-01 12:21:00 End queue run: pid=24432
    2016:03:01-12:21:00 myutm exim-in[24422]: 2016-03-01 12:21:00 SMTP connection from mail.test.com [xxx.xxx.xxx.xxx]:60170 closed by QUIT
    2016:03:01-12:22:00 myutm exim-out[24464]: 2016-03-01 12:22:00 Start queue run: pid=24464
    2016:03:01-12:22:00 myutm exim-out[24464]: 2016-03-01 12:22:00 End queue run: pid=24464

  • 0 in reply to chriswallis

    2 of 2 - the log show that was passed off to the exchange server but there is no trace in the exchange logs

    2016:03:01-12:22:56 myutm exim-in[5566]: 2016-03-01 12:22:56 SMTP connection from [104.47.1.88]:54400 (TCP/IP connection count = 1)
    2016:03:01-12:22:59 myutm exim-in[24493]: 2016-03-01 12:22:59 H=mail-ve1eur01on0088.outbound.protection.outlook.com (EUR01-VE1-obe.outbound.protection.outlook.com) [104.47.1.88]:54400 Warning: wallisphotos.co.uk profile excludes SANDBOX scan
    2016:03:01-12:23:00 myutm exim-out[24495]: 2016-03-01 12:23:00 Start queue run: pid=24495
    2016:03:01-12:23:00 myutm exim-out[24495]: 2016-03-01 12:23:00 End queue run: pid=24495
    2016:03:01-12:23:00 myutm exim-in[24493]: 2016-03-01 12:23:00 [104.47.1.88] F=<test.test@test.com> R=<me@domain.com> Verifying recipient address with callout
    2016:03:01-12:23:04 myutm exim-in[24493]: 2016-03-01 12:23:04 1aajKP-0006N3-13 ctasd reports 'Unknown' RefID:str=0001.0A0B0201.56D589A7.0353,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0
    2016:03:01-12:23:04 myutm exim-in[24493]: 2016-03-01 12:23:04 1aajKP-0006N3-13 Greylisting: Successful greylist retry from 104.47.1.88 (original host was 104.47.2.85/32)
    2016:03:01-12:23:04 myutm exim-in[24493]: 2016-03-01 12:23:04 1aajKP-0006N3-13 <= test.test@test.com H=mail-ve1eur01on0088.outbound.protection.outlook.com (EUR01-VE1-obe.outbound.protection.outlook.com) [104.47.1.88]:54400 P=esmtps X=TLSv1.2:AES256-SHA256:256 S=23123 id=2F4F986272AB394AB6EE9A96ED8F2D66D4EF19D8@internalserver.com
    2016:03:01-12:23:04 myutm exim-in[24493]: 2016-03-01 12:23:04 SSL_write: (from mail-ve1eur01on0088.outbound.protection.outlook.com (EUR01-VE1-obe.outbound.protection.outlook.com) [104.47.1.88]:54400) syscall: Connection reset by peer
    2016:03:01-12:23:04 myutm exim-in[24493]: 2016-03-01 12:23:04 SSL_write error 5
    2016:03:01-12:23:04 myutm exim-in[24493]: 2016-03-01 12:23:04 SMTP connection from mail-ve1eur01on0088.outbound.protection.outlook.com (EUR01-VE1-obe.outbound.protection.outlook.com) [104.47.1.88]:54400 closed by QUIT
    2016:03:01-12:23:06 myutm smtpd[5337]: QMGR[5337]: 1aajKP-0006N3-13 moved to work queue
    2016:03:01-12:23:10 myutm smtpd[24506]: SCANNER[24506]: 1aajKY-0006NG-81 <= test.test@test.com R=1aajKP-0006N3-13 P=INPUT S=13991
    2016:03:01-12:23:10 myutm smtpd[24506]: SCANNER[24506]: id="1000" severity="info" sys="SecureMail" sub="smtp" name="email passed" srcip="104.47.1.88" from="test.test@test.com" to="me@domain.com" subject="test 12:08" queueid="1aajKY-0006NG-81" size="13991"
    2016:03:01-12:23:10 myutm smtpd[24506]: SCANNER[24506]: 1aajKP-0006N3-13 => work R=SCANNER T=SCANNER
    2016:03:01-12:23:10 myutm smtpd[24506]: SCANNER[24506]: 1aajKP-0006N3-13 Completed
    2016:03:01-12:23:10 myutm exim-out[24509]: 2016-03-01 12:23:10 1aajKY-0006NG-81 => me@domain.com P=<test.test@test.com> R=static_route_hostlist T=static_smtp H=xxx.xxx.xxx.xxx [xxx.xxx.xxx.xxx]:25 X=TLSv1.2:ECDHE-RSA-AES256-SHA384:256 C="250 2.6.0 <2F4F986272AB394AB6EE9A96ED8F2D66D4EF19D8@GRISPRDEXCH863.uk1.group.internal> Queued mail f"
    2016:03:01-12:23:10 myutm exim-out[24509]: 2016-03-01 12:23:10 1aajKY-0006NG-81 Completed
    2016:03:01-12:23:39 myutm smtpd[24506]: SCANNER[24506]: Nothing to do, exiting.
    2016:03:01-12:24:00 myutm exim-out[24537]: 2016-03-01 12:24:00 Start queue run: pid=24537
    2016:03:01-12:24:00 myutm exim-out[24537]: 2016-03-01 12:24:00 End queue run: pid=24537

  • 0 in reply to chriswallis

    The first log lines indicate that you have Greylisting activated.  That's the reason it was rejected with the mention "temporarily rejected after DATA: Temporary local problem, please try again!"  Some of my peers like greylisting, but I don't think it stops much spam that wouldn't be stopped by other SMTP-time checks.

    Both sets of lines indicate that you are running the 9.4 beta version.  The second set is a possible indication of a pre-release bug, so I'm moving this thread to that forum.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    the version that shows in the console is 9.370-24

    i'll turn greylisting off and test again

  • 0 in reply to chriswallis

    The latest released version is 9.355.  As the 9.4 beta progresses, you might see 9.38 and 9.39.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    ah ok, good to know.

    so i might just be dealing with a version bug here?

    I will retest again with greylisting and see if its any different.

Unfiltered HTML