Hello
I don't know if there is a solution. I placed this question already on the Sophos Email part of this community, but didn't get an answer.
I have to relay two mail accounts with two different domains (mail.private.com, mail.business.com). They are both by the same provider.
I made my first expierences with relaying of the first one and it's working - external-mail-server-secured-over-xg-firewall .
I tried also to integrate the second mail account (mai.business.com) and i got error message. One feedback which i got was that more than one relaying are possible, but the result is an error with a message i don't understand. See also the question I placed at community - smtp-relay-with-two-mail-domains
This message was created automatically by mail delivery software. A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed: wolfgang@business.com host local.myfirewall.co [180.100.244.237] SMTP error from remote mail server after RCPT TO:<wolfgang@business.com>: 550-Sophos Anti Spam Engine has blocked this Email because the sender IP 550 Address is blacklisted. ---------------------------------------------- message/delivery-status ---------------------------------------------- Reporting-MTA: dns; hos108.unaxus.net Action: failed Final-Recipient: rfc822;wolfgang@business.com Status: 5.0.0 Remote-MTA: dns; local.myfirewall.co Diagnostic-Code: smtp; 550-Sophos Anti Spam Engine has blocked this Email because the sender IP 550 Address is blacklisted. ---------------------------------------------- message/rfc822 ---------------------------------------------- Return-path: <wolfgang@protonmail.com> Received: from [180.100.244.237] (port=60360 helo=privat.com) by hos108.unaxus.net with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.93) (envelope-from <wolfgang@protonmail.com>) id 1kDy1o-00GlD9-7L for wolfgang@business.com; Fri, 04 Sep 2020 00:48:24 +0200 Received: from mail1.protonmail.ch ([180.70.40.18]:25582) by privat.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.91) (envelope-from <wolfgang@protonmail.com>) id 1kDy1h-0001VD-06 for wolfgang@business.com; Fri, 04 Sep 2020 00:48:17 +0200 Date: Thu, 03 Sep 2020 22:47:39 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail; t=1599173266; bh=uidnY6jlxQy6tKVuIn8VjeA4Ly5IH6SAlBKL20lHlJs=; h=Date:To:From:Reply-To:Subject:From; b=MQTvdoWEu9XB8OgwZZmrQreSFSGoXgRLVJpiFNtG3Fz0ZFzMFzT/Lz86S7bemRIA1 1C6COwj617nUhJATi69w4SB3eugf4LR4VNwyxrElaEKi/WxGuNogQZEm7J66o0dIyM fzXgQGcM6WwZsCTlM6vxyaLs3hjWGRncjyYoELMg= To: "wolfgang@business.com" <wolfgang@business.com> From: Wolfgang <wolfgang@protonmail.com> Reply-To: Wolfgang <wolfgang@protonmail.com> Subject: Test MX 4 Message-ID: <2_GdmVwcsGqDz4Wb6COntnJi_INUmHA7o5Il-LOBYzjCDiP1qnYN2OfgQn2NhZnb4RykMiQT2rr5TXyZqZbLICkEnEfWxJU_VHsPJVf-mxM=@protonmail.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="b1_Rt9ltbmJON5cpsiXPpcBQaxEPbLvwAFiT2xYq0eQ" X-Spam-Status: No, score=-1.2 required=10.0 tests=ALL_TRUSTED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE shortcircuit=no autolearn=disabled version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on mailout.protonmail.ch X-Sophos-IBS: success X-CTCH-PVer: 0000001 X-CTCH-Spam: Unknown X-CTCH-VOD: Unknown X-CTCH-Flags: 0 X-CTCH-RefID: str=0001.0A09020A.5F5172B1.00B6:SCFSTAT63089915,ss=1,re=-4.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0 X-CTCH-Score: -4.000 X-CTCH-ScoreCust: 0.000 X-CTCH-Rules: X-Sophos-Firewall: smtpd v1.0 This is a multi-part message in MIME format. --b1_Rt9ltbmJON5cpsiXPpcBQaxEPbLvwAFiT2xYq0eQ Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: base64 ……… Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: base64 PGRpdj48YnI+……….--
Hope someone can help to find a solution.
ThanksWolfgang
Hello Wolfgang,
Thank you for contacting the Sophos Community!
It seems like the XG is blocking the IP, can you create an exception in the Email Protection for this IP 180.100.244.237.
IF I am reading correctly this was trying to send the email inbound to your server?
Can you provide the output of the smtpd_main.log when this issue happens?
Regards,
Hi Emmanuel
The smtpd_main.log looks like this:(Don't forget my wolfgang@privat.com works fine and it has the same hosting provider.)
18373 1 queue-runner process running
2020-09-15 11:28:13.700 [18374] SMTP connection from [180.70.40.134]:29035 I=[180.100.244.237]:25 (TCP/IP connection count = 1)
2020-09-15 11:28:50.537 [5418] [180.70.40.134] F=<wolfgang@p.com > R=<wolfgang@business.com> Accepted: upstream host 2020-09-15 11:28:50.558 [5418] 1kI7Gc-0001PO-HK <= wolfgang@p.com H=mail-40134.p.ch [180.70.40.134]:29035 I=[180.100.244.237]:25 P=esmtps X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no S=2978 M8S=0 RT=0.014s id=7lludyiE3C2DZje3Gr1fsxOZPLAITluZFW62Rq5jOZ-o9NlkEYmSROG7D-zqKpcNUbHV_PyL4OO0EgJQI_Wy1cXM4PimPK36exXz-6WjUhc=@p.com T="MX test" from <wolfgang@p.com> for wolfgang@business.com 2020-09-15 11:28:50.558 [5418] SMTP connection from mail-40134.p.ch [180.70.40.134]:29035 I=[180.100.244.237]:25 closed by QUIT MSG Sep 15 11:28:50 [ T_SMTPD-M]: new mail queued, add to inqueue '1kI7Gc-0001PO-HK-D' MSG Sep 15 11:28:50 [ T_SMTPD-W]: Mail assigned to 'MS-18361' for scanning '1kI7Gc-0001PO-HK-D' MSG Sep 15 11:28:50 [ MS-18361]: scan request 1kI7Gc-0001PO-HK-D MSG Sep 15 11:28:50 [ MS-18361]: S='wolfgang@p.com' R='wolfgang@business.com' Subject='MX test' Size='2978' Status='Mail has been queued for delivery.' src_ip='180.70.40.134' src_port=29035 user_id=0 user_grp_id=0 fw_id=1 src_zone_id=2 MSG Sep 15 11:28:50 [1kI7Gc-0001PO-HK]: spam scanning result: 'not spam' MSG Sep 15 11:28:51 [1kI7Gc-0001PO-HK]: Sophos Antivirus Scanned result: Clean (file number:-1) MSG Sep 15 11:28:51 [1kI7Gc-0001PO-HK]: Avira Antivirus Scanned result: Clean (file number:-1) MSG Sep 15 11:28:51 [1kI7Gc-0001PO-HK]: [0x9bb1c200] FROM: wolfgang@p.com , TO: wolfgang@business.com MSG Sep 15 11:28:51 [1kI7Gc-0001PO-HK]: [0x9bb1c200](wolfgang@business.com)SF Policy Action: ACCEPT MSG Sep 15 11:28:51 [1kI7Gc-0001PO-HK]: move '42XRsx-kPHtto-Fg' to forwarder queue MSG Sep 15 11:28:51 [1kI7Gc-0001PO-HK]: 42XRsx-kPHtto-Fg <= wolfgang@p.com R=1kI7Gc-0001PO-HK MSG Sep 15 11:28:51 [ MS-18361]: processing for 1kI7Gc-0001PO-HK completed MSG Sep 15 11:28:51 [ T_SMTPD-W]: [SMTPD] mail '1kI7Gc-0001PO-HK-D' processed successfully
5857 locking /sdisk/spool/output//db/retry.lockfile 5857 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 5857 Considering: wolfgang@business.com 5857 unique = wolfgang@business.com 5857 wolfgang@business.com: queued for routing 5857 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 5857 routing wolfgang@business.com 5857 --------> router_for_notifications router <-------- 5857 local_part=wolfgang domain=business.com 5857 checking "condition" "${if and{{bool_lax{1}}{bool_lax{${if eq{$acl_c1}{1}{1}{0}}}}}}"... 5857 router_for_notifications router skipped: condition failure 5857 --------> batv_redirect router <-------- 5857 local_part=wolfgang domain=business.com 5857 checking domains 5857 calling batv_redirect router 5857 expanded: 5857 file is not a filter file 5857 parse_forward_list: 5857 batv_redirect router declined for wolfgang@business.com 5857 --------> static_route_hostlist_for_email router <-------- 5857 local_part=wolfgang domain=business.com 5857 checking "condition" "${if match_address{$local_part@$domain}{+hostlist_route_emails}{1}{0}}"... 5857 static_route_hostlist_for_email router skipped: condition failure 5857 --------> static_route_hostlist router <-------- 5857 local_part=wolfgang domain=business.com 5857 checking domains 5857 static_route_hostlist router skipped: domains mismatch 5857 --------> static_route_bymx_for_email router <-------- 5857 local_part=wolfgang domain=business.com 5857 checking "condition" "${if match_address{$local_part@$domain}{+mx_route_emails}{1}{0}}"... 5857 static_route_bymx_for_email router skipped: condition failure 5857 --------> static_route_bymx router <-------- 5857 local_part=wolfgang domain=business.com 5857 checking domains 5857 static_route_bymx router skipped: domains mismatch 5857 --------> static_route_bydns_for_email router <-------- 5857 local_part=wolfgang domain=business.com 5857 checking "condition" "${if match_address{$local_part@$domain}{+dns_route_emails}{1}{0}}"... 5857 calling static_route_bydns_for_email router 5857 static_route_bydns_for_email router called for wolfgang@business.com 5857 domain = business.com 5857 static_route_bydns_for_email router declined for wolfgang@business.com 5857 --------> static_route_bydns router <-------- 5857 local_part=wolfgang domain=business.com 5857 checking domains 5857 calling static_route_bydns router 5857 static_route_bydns router called for wolfgang@business.com 5857 domain = business.com 5857 original list of hosts = "mail.business.com" options = 5857 expanded list of hosts = "mail.business.com" options = 5857 set transport static_smtp 5857 finding IP address for mail.business.com 5857 doing DNS lookup 5857 queued for static_smtp transport: local_part = wolfgang 5857 domain = business.com 5857 errors_to=NULL 5857 domain_data=NULL localpart_data=NULL 5857 routed by static_route_bydns router 5857 envelope to: wolfgang@business.com 5857 transport: static_smtp 5857 host business.com [195.191.240.17] 5857 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 5857 After routing: 5857 Local deliveries: 5857 Remote deliveries: 5857 wolfgang@business.com 5857 Failed addresses: 5857 Deferred addresses: 5858 T: Static_smtp: for wolfgang@business.com 5858 locking /sdisk/spool/output//db/retry.lockfile 5858 Relate with Firewall rule id: 1 5858 LOG: MAIN 5858 [195.191.240.17] SSL verify error: certificate name mismatch: DN="/CN=hos108.unaxus.net" H="business.com" 2020-09-15 11:29:04.473 [5858] 42XRsx-kPHtto-Fg [195.191.240.17] SSL verify error: certificate name mismatch: DN="/CN=hos108.unaxus.net" H="business.com" 5858 locking /sdisk/spool/output//db/wait-static_smtp.lockfile 5857 LOG: MAIN 5857 => wolfgang@business.com F=<wolfgang@p.com> P=<wolfgang@p.com> R=static_route_bydns T=static_smtp S=3365 H=business.com [195.191.240.17]:25 I=[180.100.244.237]:59216 X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no DN="/CN=hos108.unaxus.net" C="250 OK id=1kI7Gq-00DTGD-LF" QT=14s DT=0.248s 2020-09-15 11:29:04.649 [5857] 42XRsx-kPHtto-Fg => wolfgang@business.com F=<wolfgang@p.com> P=<wolfgang@p.com> R=static_route_bydns T=static_smtp S=3365 H=business.com [195.191.240.17]:25 I=[180.100.244.237]:59216 X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no DN="/CN=hos108.unaxus.net" C="250 OK id=1kI7Gq-00DTGD-LF" QT=14s DT=0.248s 5857 LOG: MAIN 5857 Completed QT=14s 2020-09-15 11:29:04.650 [5857] 42XRsx-kPHtto-Fg Completed QT=14s 2020-09-15 11:29:04.759 [18374] SMTP connection from [195.191.240.17]:59406 I=[180.100.244.237]:25 (TCP/IP connection count = 1)
2020-09-15 11:29:35.086 [5864] [195.191.240.17] F=<wolfgang@p.com> R=<wolfgang@business.com> Rejected: sender IP is RBL listed 2020-09-15 11:29:35.092 [5864] H=hos108.unaxus.net [195.191.240.17]:59406 I=[180.100.244.237]:25 X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no F=<wolfgang@p.com> rejected RCPT <wolfgang@business.com>: Sophos Anti Spam Engine has blocked this Email because the sender IP Address is blacklisted. 2020-09-15 11:29:35.092 [5864] SMTP connection from hos108.unaxus.net [195.191.240.17]:59406 I=[180.100.244.237]:25 closed by DROP in ACL
The IP 180.100.244.237 is my WAN address (port2)
Shouldn't be blocked anyway.
RegardsWolfgang
Your assumption is not correct: you are blacklisted with this IP:
Have a look yourself: https://mxtoolbox.com/Problem/Blacklist/UCEPROTECTL3/?page=prob_blacklist&ip=180.100.244.237&link=button&action=blacklist:180.100.244.237&showLogin=1&hidetoc=1&reason=127.0.0.2
Mit freundlichem Gruß, Regards from Germany,
Philipp Rusch
New Vision GmbH, GermanySophos Silver-Partner
If a post solves your question please use the 'Verify Answer' button.
Hello Wolfgan,
Thank you for the follow-up.
I do see your public IP is blacklisted so that for sure will cause some issues.
However, I don't understand how you are testing the email flow.
Do you have both domains behind the XG and you are sending from Domain1 to Domain2 (Both of them behind the XG) to test this?
If you are ok I would like to check your configuration, can you enable Support Access in your device and send me the Access ID by PM.
Monitor & Analize >> Diagnostics >> Support Access >> ON >> Access Status >> And copy & paste the Access ID and send it to me.
Hi Philipp
Sorry for the confusion of the IP-Address. My IP-Address isn't blacklisted. It's not the original address.
I keep the IP and MAC addresses which are reachable by public secure in community. The original address is green.
Btw. from the same address i relay another mail account without any problems.
Both of my mail accounts are by a hoster. The redirection is done over the XG Firewall.
MX XG Prio 1 WAN(port2)MX hoster Prio 2 mail.business.com
This part works correctly:MX XG Prio 1 WAN(port2)MX hoster Prio 2 mail.privat.com
The flow is:Sending a mail (according MX information) to WAN of XG (port2) then mail check and relaying over port2 to hoster (DNS) mail.business.com
The funny thing is, that exactly this flow works the privat mail domain.
There is one part, which i think could be problem. But in this case, it wouldn't be possible a smtp-relay with more than one mail domains.At the smtp settings i have to declare domain. In my case "privat.com". The HELO will be "privat.com", which isn't the same as "business.com".
I will send you the access ID, but have to update the MX record first.
Reading your lines several times, I think there is a big confusion about how SMTP works. Even if you have more than one MX record, only one of them is actually used. The other DNS-entries are only tried, if that particular server is offline. So this is not worked through in sequence, the mail is processed by the first MX which is online. And then the Sophos mail-processing is done, the mail is passed to the server you declare "responsible" for your domain in the Sophos settings.
Philipp
Hello Philipp
You right. Just one is used and exactly this one with the lowest priority. That means the MX record for the XG. I understood that correctly.
The second one is just for the case if the first one will not response. But that will not happen because the WAN Interface will accept the request. I see all mails in the mail spool / mail logs.
The problem is, that according to one of the answers by external-mail-server-secured-over-xg-firewall, which I added as link, more than one mail domains should be relayed.
"Step5: Scan and Filter Inbound Emails -> By the SMTP Policy I used my personal domain (private.com) located by my provider. I have also a business domain (business.com). By the General settings of the email is only 1 SMTP Hostname possible. I have at least 2. Is it possible to add the second and more to the protected domain list, if I route with MX RECORD?"
Route with MX RECORD didn't work due to this two MX RECORDS. I changed it to DNS Name mail.private.com and it worked. Instead to add the business.com to the protected domain list, I made a second SMTP Policy.
I would like to send Emmanuel the Access ID but it seems that i have there another problem, because i get just
now I read your other thread about your attempts to get SMTP relaying going with mutliple domains.
You use Sophos XG as an MTA in this scenario. MTA = Mail Transport Agent.
This is NOT a complete mailserver, think of it as a mailserver, that has no mailboxes, but receives mail for other servers, which are holding the mailboxes for the final recipients.
1. This MTA needs an OWN name, of course, this is "SMTP hostname".
2. Then you need to tell the MTA which domains it should accept (these could be hundreds).
3. After accepting mails and doing several checks, the MTA needs to know where to send the mails to, this would be the server holding the mailboxes for his clients. If using the MX records you supplied before, you would create a loop, because you point to your WAN address again. That's the reason why your "DNS hostname" routing succeeded. You have to point to a different server here! "Normally" this would be an internal mailserver at the local LAN-side of the firewall, so you could control the (internal) DNS/MX here. But in your case, where you don't have any mailserver locally, you have to go that way.
4. After queueing/sending the mail to the final destination server ("Mailbox-Server"), the Sophos-MTA is done.
5. You pull the mail with your preferred mail-client from your "Mailbox-Server".
Personally, after receiving with the Sophos MTA, I would consolidate ALL mail-domains to one "Mailbox-Server" (means send all mails to this as target) and use this as the one and only source for my mail-client(s).
Hope this helps, regards,