Sophos UTM and Exchange 2016 inbound email not working

Hi Chris, and welcome to the  UTM Community!

How does your configuration compare to

Cheers - Bob

Hi Bob

    thanks for replying,  i had set it to advanced to use mail profiles as it was blocking the MS connectivity site emails, other wise it matches.

In the UTM logs i can see mail hitting it but i can't see traffic between that and the mail server either from the UTM or the exchange side. Should the relay be present in the SMTP logs when the UTM goes to exchange

just starting to get some network captures to see if its actually trying 

further to this i setup a specific receive connector and i am getting some mails but some are going into a black hole

The UTM say its has accepted them and can see it going through the normal SMTP steps but i can't see it hitting the exchange server

I have to admit that I'm not following your description of what you're seeing. Perhaps you could show us pictures and log lines.

Cheers - Bob

I have to admit that I'm not following your description of what you're seeing. Perhaps you could show us pictures and log lines.

Cheers - Bob

I am seeing SMTP connections coming into the UTM, be processed and then not get passed onto exchange

here is extract 1of 2 of emails that didn't make it past the UTM and onto exchange

2016:03:01-12:20:50 myutm exim-in[24422]: 2016-03-01 12:20:50 H=mail.test.com [xxx.xxx.xxx.xxx]]:60170 Warning: domain.com profile excludes SANDBOX scan
2016:03:01-12:20:52 myutm exim-in[24422]: 2016-03-01 12:20:52 [xxx.xxx.xxx.xxx] F=<test.testyson@testdomain.com> R=<me@domain.com> Verifying recipient address with callout
2016:03:01-12:20:44 myutm exim-in[5566]: 2016-03-01 12:20:44 SMTP connection from [xxx.xxx.xxx.xxx]:60170 (TCP/IP connection count = 1)
2016:03:01-12:20:59 myutm exim-in[24422]: 2016-03-01 12:20:59 1aajIK-0006Lu-2R ctasd reports 'Unknown' RefID:str=0001.0A0B0202.56D5892B.0289:SCFMA34161327,ss=1,re=-4.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=1024
2016:03:01-12:20:59 myutm exim-in[24422]: 2016-03-01 12:20:59 1aajIK-0006Lu-2R Greylisting: Greylisted xxx.xxx.xxx.xxx
2016:03:01-12:20:59 myutm exim-in[24422]: [1\42] 2016-03-01 12:20:59 1aajIK-0006Lu-2R H=mail.test.com [xxx.xxx.xxx.xxx]:60170 F=<testy.testerson@testdomain.com temporarily rejected after DATA: Temporary local problem, please try again!
2016:03:01-12:20:59 myutm exim-in[24422]: [2\42] Envelope-from: <testy.testerson@testdomain.com
2016:03:01-12:20:59 myutm exim-in[24422]: [3\42] Envelope-to: <me@domain.com>
2016:03:01-12:20:59 myutm exim-in[24422]: [4\42] P Received: from mail.test.com ([xxx.xxx.xxx.xxx]:60170)
2016:03:01-12:20:59 myutm exim-in[24422]: [5\42] by UTM.domain.com with esmtps (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256)
2016:03:01-12:20:59 myutm exim-in[24422]: [6\42] (Exim 4.82_1-5b7a7c0-XX)
2016:03:01-12:20:59 myutm exim-in[24422]: [7\42] (envelope-from <test.testyson@testdomain.com>)
2016:03:01-12:20:59 myutm exim-in[24422]: [8\42] id 1aajIK-0006Lu-2R
2016:03:01-12:20:59 myutm exim-in[24422]: [9\42] for me@domain.com; Tue, 01 Mar 2016 12:20:57 +0000
2016:03:01-12:20:59 myutm exim-in[24422]: [10\42] P Received: from DESKTOPIJKJPUI ([188.29.165.72]) by mail.test.com (mrgmx102)
2016:03:01-12:20:59 myutm exim-in[24422]: [11\42] with ESMTPSA (Nemesis) id 0LosFD-1ZzTn73VsZ-00gllu for
2016:03:01-12:20:59 myutm exim-in[24422]: [12\42] <me@domain.com>; Tue, 01 Mar 2016 13:20:43 +0100
2016:03:01-12:20:59 myutm exim-in[24422]: [13\42] X-CTCH-RefID: str=0001.0A0B0202.56D5892B.0289:SCFMA34161327,ss=1,re=-4.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=1024
2016:03:01-12:20:59 myutm exim-in[24422]: [14\42] F From: "Test Testyson" <test.testyson@testdomain.com>
2016:03:01-12:20:59 myutm exim-in[24422]: [15\42] T To: <me@domain.com>
2016:03:01-12:20:59 myutm exim-in[24422]: [16\42] Subject: .co.uk TEST
2016:03:01-12:20:59 myutm exim-in[24422]: [17\42] Date: Tue, 1 Mar 2016 12:20:39 -0000
2016:03:01-12:20:59 myutm exim-in[24422]: [18\42] I Message-ID: <003501d173b4$c6ef63e0$54ce2ba0$@gmx.com>
2016:03:01-12:20:59 myutm exim-in[24422]: [19\42] MIME-Version: 1.0
2016:03:01-12:20:59 myutm exim-in[24422]: [20\42] Content-Type: multipart/alternative;
2016:03:01-12:20:59 myutm exim-in[24422]: [21\42] boundary="----=_NextPart_000_0036_01D173B4.C6F00020"
2016:03:01-12:20:59 myutm exim-in[24422]: [22\42] X-Mailer: Microsoft Outlook 16.0
2016:03:01-12:20:59 myutm exim-in[24422]: [23\42] Thread-Index: AdFztMIOWpyhSlZ5R5STdULyp4g4eA==
2016:03:01-12:20:59 myutm exim-in[24422]: [24\42] Content-Language: en-gb
2016:03:01-12:20:59 myutm exim-in[24422]: [25\42] X-Provags-ID: V03:K0:D+NyfWDJN7XpjqmBpr9+jUqEg2U57N3BHGEVWLtzIzb80eTbEyC
2016:03:01-12:20:59 myutm exim-in[24422]: [26\42] rUcdlTi2B6t+WxZYlCP3gqn6iXl5F/ipekafjaOGMPD8SZsyu+Ii3dmW4384PEvFDyYFegB
2016:03:01-12:20:59 myutm exim-in[24422]: [27\42] Ek8WF2PJk4gJQEc8mETRp6kD/H2auB0sc338XNsp/SZyKzkAUlGlQwVzv1+FLfd/ddNUvLE
2016:03:01-12:20:59 myutm exim-in[24422]: [28\42] AUOGEe+dEmLteJoye+gWg==
2016:03:01-12:20:59 myutm exim-in[24422]: [29\42] X-UI-Out-Filterresults: notjunk:1;V01:K0:8RzSZt606JE=:dx9kUDVc1SSj0KvZlrdWo7
2016:03:01-12:20:59 myutm exim-in[24422]: [30\42] 9yOuZrzdLg8T48tIUbK3+RlXMi5vZL4xHNc2QflQXLIvf1oWoteYbCqn6zs+bfahKM5nF8FY1
2016:03:01-12:20:59 myutm exim-in[24422]: [31\42] M57Z4l4Kh4Yknc6db/1DwWYYQC0ACWYJo+Fm+1205GuVt0Ry+jMAqh9DiOZ2kcbbwMjbnggRU
2016:03:01-12:20:59 myutm exim-in[24422]: [32\42] 1idn2bF4cb26a+yujx3L3i2oIEZmGAudHtst7lo5q1Hp/0kaBMXCDUcILrrfQ2Bx4yecmmOqp
2016:03:01-12:20:59 myutm exim-in[24422]: [33\42] uTSdtIOCDuS3NX9r9zw0CcnyGxAd7OVkIuNUnX7sCRZOB6IGKuIGiXbc5p0RJ5tFM9qiYduYd
2016:03:01-12:20:59 myutm exim-in[24422]: [34\42] 3JzIYGqPw802dvDdDt7GmyoZm6wrJdQ6lXm424FMOJlWr5uajMYaZcmM4rn3yZvloVmxUSbRV
2016:03:01-12:20:59 myutm exim-in[24422]: [35\42] Pv/0SI7CZiPYpUs4Z7RRFDJBQo6Q/cV3DxW1lsCEl+ms0omUaPBA0wspeQ2SWAYfKnvhkvgnP
2016:03:01-12:20:59 myutm exim-in[24422]: [36\42] +woJkbZHwl802MF0KZOw+ZvL0QKG0kwrETsd+aAnUGGEDTuneASkaEcMRCjOyR/Goy7nn8IDG
2016:03:01-12:20:59 myutm exim-in[24422]: [37\42] +evSTmAZjb9ReAdZ56/6RTxwJAcqhs/xjB6xNTsnZzvJ6h3ylNJQXhO7EcjEu56UhxrHH+0g2
2016:03:01-12:20:59 myutm exim-in[24422]: [38\42] rAG8DDEVQqeVfzzGANrGDLOOIRnffexkANVgt2InQ94oWbz8PvUMzxc0lyGPGjrOpHgVDI1p9
2016:03:01-12:20:59 myutm exim-in[24422]: [39\42] +DDuJmuGjrI5/0nKaA/Y3U93hWAhHJyK3BI9QrUS2xXA2hdgXM4NZnhRDqQg3x9RIiWFGJ0nl
2016:03:01-12:20:59 myutm exim-in[24422]: [40\42] V3ixO/UVycyFaw4Wn0rTsiym74XmgTTCNjI61OHGtAdtLyMxXTvaLfUFQsZpzwYgu5Aih+Czw
2016:03:01-12:20:59 myutm exim-in[24422]: [41\42] wyo5RqTJLCxLTRii2yZzSae82EebGJAvNNCrnaq1oW4nPwAUZNSU1LHC/g9JmLr+whFxCoMjh
2016:03:01-12:20:59 myutm exim-in[24422]: [42/42] XaikVQDYdHmFzHwhArUA==
2016:03:01-12:21:00 myutm exim-out[24432]: 2016-03-01 12:21:00 Start queue run: pid=24432
2016:03:01-12:21:00 myutm exim-out[24432]: 2016-03-01 12:21:00 End queue run: pid=24432
2016:03:01-12:21:00 myutm exim-in[24422]: 2016-03-01 12:21:00 SMTP connection from mail.test.com [xxx.xxx.xxx.xxx]:60170 closed by QUIT
2016:03:01-12:22:00 myutm exim-out[24464]: 2016-03-01 12:22:00 Start queue run: pid=24464
2016:03:01-12:22:00 myutm exim-out[24464]: 2016-03-01 12:22:00 End queue run: pid=24464

2 of 2 - the log show that was passed off to the exchange server but there is no trace in the exchange logs

2016:03:01-12:22:56 myutm exim-in[5566]: 2016-03-01 12:22:56 SMTP connection from [104.47.1.88]:54400 (TCP/IP connection count = 1)
2016:03:01-12:22:59 myutm exim-in[24493]: 2016-03-01 12:22:59 H=mail-ve1eur01on0088.outbound.protection.outlook.com (EUR01-VE1-obe.outbound.protection.outlook.com) [104.47.1.88]:54400 Warning: wallisphotos.co.uk profile excludes SANDBOX scan
2016:03:01-12:23:00 myutm exim-out[24495]: 2016-03-01 12:23:00 Start queue run: pid=24495
2016:03:01-12:23:00 myutm exim-out[24495]: 2016-03-01 12:23:00 End queue run: pid=24495
2016:03:01-12:23:00 myutm exim-in[24493]: 2016-03-01 12:23:00 [104.47.1.88] F=<test.test@test.com> R=<me@domain.com> Verifying recipient address with callout
2016:03:01-12:23:04 myutm exim-in[24493]: 2016-03-01 12:23:04 1aajKP-0006N3-13 ctasd reports 'Unknown' RefID:str=0001.0A0B0201.56D589A7.0353,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0
2016:03:01-12:23:04 myutm exim-in[24493]: 2016-03-01 12:23:04 1aajKP-0006N3-13 Greylisting: Successful greylist retry from 104.47.1.88 (original host was 104.47.2.85/32)
2016:03:01-12:23:04 myutm exim-in[24493]: 2016-03-01 12:23:04 1aajKP-0006N3-13 <= test.test@test.com H=mail-ve1eur01on0088.outbound.protection.outlook.com (EUR01-VE1-obe.outbound.protection.outlook.com) [104.47.1.88]:54400 P=esmtps X=TLSv1.2:AES256-SHA256:256 S=23123 id=2F4F986272AB394AB6EE9A96ED8F2D66D4EF19D8@internalserver.com
2016:03:01-12:23:04 myutm exim-in[24493]: 2016-03-01 12:23:04 SSL_write: (from mail-ve1eur01on0088.outbound.protection.outlook.com (EUR01-VE1-obe.outbound.protection.outlook.com) [104.47.1.88]:54400) syscall: Connection reset by peer
2016:03:01-12:23:04 myutm exim-in[24493]: 2016-03-01 12:23:04 SSL_write error 5
2016:03:01-12:23:04 myutm exim-in[24493]: 2016-03-01 12:23:04 SMTP connection from mail-ve1eur01on0088.outbound.protection.outlook.com (EUR01-VE1-obe.outbound.protection.outlook.com) [104.47.1.88]:54400 closed by QUIT
2016:03:01-12:23:06 myutm smtpd[5337]: QMGR[5337]: 1aajKP-0006N3-13 moved to work queue
2016:03:01-12:23:10 myutm smtpd[24506]: SCANNER[24506]: 1aajKY-0006NG-81 <= test.test@test.com R=1aajKP-0006N3-13 P=INPUT S=13991
2016:03:01-12:23:10 myutm smtpd[24506]: SCANNER[24506]: id="1000" severity="info" sys="SecureMail" sub="smtp" name="email passed" srcip="104.47.1.88" from="test.test@test.com" to="me@domain.com" subject="test 12:08" queueid="1aajKY-0006NG-81" size="13991"
2016:03:01-12:23:10 myutm smtpd[24506]: SCANNER[24506]: 1aajKP-0006N3-13 => work R=SCANNER T=SCANNER
2016:03:01-12:23:10 myutm smtpd[24506]: SCANNER[24506]: 1aajKP-0006N3-13 Completed
2016:03:01-12:23:10 myutm exim-out[24509]: 2016-03-01 12:23:10 1aajKY-0006NG-81 => me@domain.com P=<test.test@test.com> R=static_route_hostlist T=static_smtp H=xxx.xxx.xxx.xxx [xxx.xxx.xxx.xxx]:25 X=TLSv1.2:ECDHE-RSA-AES256-SHA384:256 C="250 2.6.0 <2F4F986272AB394AB6EE9A96ED8F2D66D4EF19D8@GRISPRDEXCH863.uk1.group.internal> Queued mail f"
2016:03:01-12:23:10 myutm exim-out[24509]: 2016-03-01 12:23:10 1aajKY-0006NG-81 Completed
2016:03:01-12:23:39 myutm smtpd[24506]: SCANNER[24506]: Nothing to do, exiting.
2016:03:01-12:24:00 myutm exim-out[24537]: 2016-03-01 12:24:00 Start queue run: pid=24537
2016:03:01-12:24:00 myutm exim-out[24537]: 2016-03-01 12:24:00 End queue run: pid=24537

The first log lines indicate that you have Greylisting activated.  That's the reason it was rejected with the mention "temporarily rejected after DATA: Temporary local problem, please try again!"  Some of my peers like greylisting, but I don't think it stops much spam that wouldn't be stopped by other SMTP-time checks.

Both sets of lines indicate that you are running the 9.4 beta version.  The second set is a possible indication of a pre-release bug, so I'm moving this thread to that forum.

Cheers - Bob

the version that shows in the console is 9.370-24

i'll turn greylisting off and test again

The latest released version is 9.355.  As the 9.4 beta progresses, you might see 9.38 and 9.39.

Cheers - Bob

ah ok, good to know.

so i might just be dealing with a version bug here?

I will retest again with greylisting and see if its any different.

at the moment it looks like its doing something very weird. Despite having a defined send connector IP address it seems to fail back to the default one which fails it but doesn't give a good reason why. On the positive side i can't see emails disappearing into a black hole now.

I am in the process of building an edge server to sit in between and see if that will sort out the routing better

Figured a way around this. I have put the Exchange edge role in between them and now its working fine so far, blocking stuff it should be and delivery things it should be