SMTP relay with more than one domain

Hello

I don't know if there is a solution. I placed this question already on the Sophos Email part of this community, but didn't get an answer.

I have to relay two mail accounts with two different domains (mail.private.com, mail.business.com). They are both by the same provider.

I made my first expierences with relaying of the first one and it's working - external-mail-server-secured-over-xg-firewall .

I tried also to integrate the second mail account (mai.business.com) and i got error message. One feedback which i got was that more than one relaying are possible, but the result is an error with a message i don't understand. See also the question I placed at community - smtp-relay-with-two-mail-domains

This message was created automatically by mail delivery software. A message that you sent could not be delivered to one or more of its recipients.
This is a permanent error. The following address(es) failed:
wolfgang@business.com host local.myfirewall.co [180.100.244.237] SMTP error from remote mail server after RCPT TO:<wolfgang@business.com>: 550-Sophos Anti Spam Engine has blocked this Email because the sender IP 550 Address is blacklisted.
---------------------------------------------- message/delivery-status ----------------------------------------------
Reporting-MTA: dns; hos108.unaxus.net Action: failed Final-Recipient: rfc822;wolfgang@business.com
Status: 5.0.0 Remote-MTA: dns; local.myfirewall.co
Diagnostic-Code: smtp; 550-Sophos Anti Spam Engine has blocked this Email because the sender IP 550 Address is blacklisted.
---------------------------------------------- message/rfc822 ----------------------------------------------
Return-path: <wolfgang@protonmail.com>
Received: from [180.100.244.237] (port=60360 helo=privat.com) by hos108.unaxus.net with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.93) (envelope-from <wolfgang@protonmail.com>) id 1kDy1o-00GlD9-7L for wolfgang@business.com; Fri, 04 Sep 2020 00:48:24 +0200
Received: from mail1.protonmail.ch ([180.70.40.18]:25582) by privat.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.91) (envelope-from <wolfgang@protonmail.com>) id 1kDy1h-0001VD-06 for wolfgang@business.com; Fri, 04 Sep 2020 00:48:17 +0200 Date: Thu, 03 Sep 2020 22:47:39 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail; t=1599173266; bh=uidnY6jlxQy6tKVuIn8VjeA4Ly5IH6SAlBKL20lHlJs=; h=Date:To:From:Reply-To:Subject:From; b=MQTvdoWEu9XB8OgwZZmrQreSFSGoXgRLVJpiFNtG3Fz0ZFzMFzT/Lz86S7bemRIA1 1C6COwj617nUhJATi69w4SB3eugf4LR4VNwyxrElaEKi/WxGuNogQZEm7J66o0dIyM fzXgQGcM6WwZsCTlM6vxyaLs3hjWGRncjyYoELMg= To: "wolfgang@business.com" <wolfgang@business.com> From: Wolfgang <wolfgang@protonmail.com> Reply-To: Wolfgang <wolfgang@protonmail.com> Subject: Test MX 4 Message-ID: <2_GdmVwcsGqDz4Wb6COntnJi_INUmHA7o5Il-LOBYzjCDiP1qnYN2OfgQn2NhZnb4RykMiQT2rr5TXyZqZbLICkEnEfWxJU_VHsPJVf-mxM=@protonmail.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="b1_Rt9ltbmJON5cpsiXPpcBQaxEPbLvwAFiT2xYq0eQ" X-Spam-Status: No, score=-1.2 required=10.0 tests=ALL_TRUSTED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE shortcircuit=no autolearn=disabled version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on mailout.protonmail.ch X-Sophos-IBS: success X-CTCH-PVer: 0000001 X-CTCH-Spam: Unknown X-CTCH-VOD: Unknown X-CTCH-Flags: 0 X-CTCH-RefID: str=0001.0A09020A.5F5172B1.00B6:SCFSTAT63089915,ss=1,re=-4.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0 X-CTCH-Score: -4.000 X-CTCH-ScoreCust: 0.000 X-CTCH-Rules: X-Sophos-Firewall: smtpd v1.0 This is a multi-part message in MIME format. --b1_Rt9ltbmJON5cpsiXPpcBQaxEPbLvwAFiT2xYq0eQ Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: base64 ……… Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: base64 PGRpdj48YnI+……….--

Hope someone can help to find a solution.

Thanks
Wolfgang

  • Hello Wolfgang,

    Thank you for contacting the Sophos Community!

    It seems like the XG is blocking the IP, can you create an exception in the Email Protection for this IP 180.100.244.237.

    IF I am reading correctly this was trying to send the email inbound to your server? 

    Can you provide the output of the smtpd_main.log when this issue happens?

    Regards,


     
    Emmanuel (EmmoSophos)
    Community Support Engineer | Sophos Technical Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Hi Emmanuel

    The smtpd_main.log looks like this:
    (Don't forget my wolfgang@privat.com works fine and it has the same hosting provider.)

    18373 1 queue-runner process running

    2020-09-15 11:28:13.700 [18374] SMTP connection from [180.70.40.134]:29035 I=[180.100.244.237]:25 (TCP/IP connection count = 1)

    18373 1 queue-runner process running

    2020-09-15 11:28:50.537 [5418] [180.70.40.134] F=<wolfgang@p.com > R=<wolfgang@business.com> Accepted: upstream host
    2020-09-15 11:28:50.558 [5418] 1kI7Gc-0001PO-HK <= wolfgang@p.com H=mail-40134.p.ch [180.70.40.134]:29035 I=[180.100.244.237]:25 P=esmtps X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no S=2978 M8S=0 RT=0.014s id=7lludyiE3C2DZje3Gr1fsxOZPLAITluZFW62Rq5jOZ-o9NlkEYmSROG7D-zqKpcNUbHV_PyL4OO0EgJQI_Wy1cXM4PimPK36exXz-6WjUhc=@p.com T="MX test" from <wolfgang@p.com> for wolfgang@business.com
    2020-09-15 11:28:50.558 [5418] SMTP connection from mail-40134.p.ch [180.70.40.134]:29035 I=[180.100.244.237]:25 closed by QUIT
    MSG   Sep 15 11:28:50 [ T_SMTPD-M]: new mail queued, add to inqueue '1kI7Gc-0001PO-HK-D'
    MSG   Sep 15 11:28:50 [ T_SMTPD-W]: Mail assigned to 'MS-18361' for scanning '1kI7Gc-0001PO-HK-D'
    MSG   Sep 15 11:28:50 [  MS-18361]: scan request 1kI7Gc-0001PO-HK-D
    MSG   Sep 15 11:28:50 [  MS-18361]: S='wolfgang@p.com' R='wolfgang@business.com' Subject='MX test' Size='2978' Status='Mail has been queued for delivery.' src_ip='180.70.40.134' src_port=29035 user_id=0 user_grp_id=0 fw_id=1 src_zone_id=2
    MSG   Sep 15 11:28:50 [1kI7Gc-0001PO-HK]: spam scanning result: 'not spam'
    MSG   Sep 15 11:28:51 [1kI7Gc-0001PO-HK]: Sophos Antivirus Scanned result: Clean (file number:-1)
    MSG   Sep 15 11:28:51 [1kI7Gc-0001PO-HK]: Avira Antivirus Scanned result: Clean (file number:-1)
    MSG   Sep 15 11:28:51 [1kI7Gc-0001PO-HK]: [0x9bb1c200] FROM: wolfgang@p.com , TO: wolfgang@business.com
    MSG   Sep 15 11:28:51 [1kI7Gc-0001PO-HK]: [0x9bb1c200](wolfgang@business.com)SF Policy Action: ACCEPT
    MSG   Sep 15 11:28:51 [1kI7Gc-0001PO-HK]: move '42XRsx-kPHtto-Fg' to forwarder queue
    MSG   Sep 15 11:28:51 [1kI7Gc-0001PO-HK]: 42XRsx-kPHtto-Fg <= wolfgang@p.com R=1kI7Gc-0001PO-HK
    MSG   Sep 15 11:28:51 [  MS-18361]: processing for 1kI7Gc-0001PO-HK completed
    MSG   Sep 15 11:28:51 [ T_SMTPD-W]: [SMTPD] mail '1kI7Gc-0001PO-HK-D' processed successfully

    18373 1 queue-runner process running

     5857 locking /sdisk/spool/output//db/retry.lockfile
     5857 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
     5857 Considering: wolfgang@business.com
     5857 unique = wolfgang@business.com
     5857 wolfgang@business.com: queued for routing
     5857 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
     5857 routing wolfgang@business.com
     5857 --------> router_for_notifications router <--------
     5857 local_part=wolfgang domain=business.com
     5857 checking "condition" "${if and{{bool_lax{1}}{bool_lax{${if eq{$acl_c1}{1}{1}{0}}}}}}"...
     5857 router_for_notifications router skipped: condition failure
     5857 --------> batv_redirect router <--------
     5857 local_part=wolfgang domain=business.com
     5857 checking domains
     5857 calling batv_redirect router
     5857 expanded:
     5857 file is not a filter file
     5857 parse_forward_list:
     5857 batv_redirect router declined for wolfgang@business.com
     5857 --------> static_route_hostlist_for_email router <--------
     5857 local_part=wolfgang domain=business.com
     5857 checking "condition" "${if match_address{$local_part@$domain}{+hostlist_route_emails}{1}{0}}"...
     5857 static_route_hostlist_for_email router skipped: condition failure
     5857 --------> static_route_hostlist router <--------
     5857 local_part=wolfgang domain=business.com
     5857 checking domains
     5857 static_route_hostlist router skipped: domains mismatch
     5857 --------> static_route_bymx_for_email router <--------
     5857 local_part=wolfgang domain=business.com
     5857 checking "condition" "${if match_address{$local_part@$domain}{+mx_route_emails}{1}{0}}"...
     5857 static_route_bymx_for_email router skipped: condition failure
     5857 --------> static_route_bymx router <--------
     5857 local_part=wolfgang domain=business.com
     5857 checking domains
     5857 static_route_bymx router skipped: domains mismatch
     5857 --------> static_route_bydns_for_email router <--------
     5857 local_part=wolfgang domain=business.com
     5857 checking "condition" "${if match_address{$local_part@$domain}{+dns_route_emails}{1}{0}}"...
     5857 calling static_route_bydns_for_email router
     5857 static_route_bydns_for_email router called for wolfgang@business.com
     5857   domain = business.com
     5857 static_route_bydns_for_email router declined for wolfgang@business.com
     5857 --------> static_route_bydns router <--------
     5857 local_part=wolfgang domain=business.com
     5857 checking domains
     5857 calling static_route_bydns router
     5857 static_route_bydns router called for wolfgang@business.com
     5857   domain = business.com
     5857 original list of hosts = "mail.business.com" options =
     5857 expanded list of hosts = "mail.business.com" options =
     5857 set transport static_smtp
     5857 finding IP address for mail.business.com
     5857 doing DNS lookup
     5857 queued for static_smtp transport: local_part = wolfgang
     5857 domain = business.com
     5857   errors_to=NULL
     5857   domain_data=NULL localpart_data=NULL
     5857 routed by static_route_bydns router
     5857   envelope to: wolfgang@business.com
     5857   transport: static_smtp
     5857   host business.com [195.191.240.17]
     5857 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
     5857 After routing:
     5857   Local deliveries:
     5857   Remote deliveries:
     5857     wolfgang@business.com
     5857   Failed addresses:
     5857   Deferred addresses:
     5858 T: Static_smtp: for wolfgang@business.com
     5858 locking /sdisk/spool/output//db/retry.lockfile
     5858 Relate with Firewall rule id: 1
     5858 LOG: MAIN
     5858   [195.191.240.17] SSL verify error: certificate name mismatch: DN="/CN=hos108.unaxus.net" H="business.com"
    2020-09-15 11:29:04.473 [5858] 42XRsx-kPHtto-Fg [195.191.240.17] SSL verify error: certificate name mismatch: DN="/CN=hos108.unaxus.net" H="business.com"
     5858 locking /sdisk/spool/output//db/wait-static_smtp.lockfile
     5857 LOG: MAIN
     5857   => wolfgang@business.com F=<wolfgang@p.com> P=<wolfgang@p.com> R=static_route_bydns T=static_smtp S=3365 H=business.com [195.191.240.17]:25 I=[180.100.244.237]:59216 X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no DN="/CN=hos108.unaxus.net" C="250 OK id=1kI7Gq-00DTGD-LF" QT=14s DT=0.248s
    2020-09-15 11:29:04.649 [5857] 42XRsx-kPHtto-Fg => wolfgang@business.com F=<wolfgang@p.com> P=<wolfgang@p.com> R=static_route_bydns T=static_smtp S=3365 H=business.com [195.191.240.17]:25 I=[180.100.244.237]:59216 X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no DN="/CN=hos108.unaxus.net" C="250 OK id=1kI7Gq-00DTGD-LF" QT=14s DT=0.248s
     5857 LOG: MAIN
     5857   Completed QT=14s
    2020-09-15 11:29:04.650 [5857] 42XRsx-kPHtto-Fg Completed QT=14s               
    2020-09-15 11:29:04.759 [18374] SMTP connection from [195.191.240.17]:59406 I=[180.100.244.237]:25 (TCP/IP connection count = 1)

    18373 1 queue-runner process running

    2020-09-15 11:29:35.086 [5864] [195.191.240.17] F=<wolfgang@p.com> R=<wolfgang@business.com> Rejected: sender IP is RBL listed
    2020-09-15 11:29:35.092 [5864] H=hos108.unaxus.net [195.191.240.17]:59406 I=[180.100.244.237]:25 X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no F=<wolfgang@p.com> rejected RCPT <wolfgang@business.com>: Sophos Anti Spam Engine has blocked this Email because the sender IP Address is blacklisted.
    2020-09-15 11:29:35.092 [5864] SMTP connection from hos108.unaxus.net [195.191.240.17]:59406 I=[180.100.244.237]:25 closed by DROP in ACL

    18373 1 queue-runner process running

  • Hi Emmanuel

    The IP 180.100.244.237 is my WAN address (port2)

    Shouldn't be blocked anyway.

    Regards
    Wolfgang

  • Mit freundlichem Gruß, Regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

  • Hello Wolfgan,

    Thank you for the follow-up.

    I do see your public IP is blacklisted so that for sure will cause some issues.

    However, I don't understand how you are testing the email flow.

    Do you have both domains behind the XG and you are sending from Domain1 to Domain2 (Both of them behind the XG) to test this?

    If you are ok I would like to check your configuration, can you enable Support Access in your device and send me the Access ID by PM.

    Monitor & Analize >> Diagnostics >> Support Access >> ON >> Access Status >> And copy & paste the Access ID and send it to me.

    Regards,


     
    Emmanuel (EmmoSophos)
    Community Support Engineer | Sophos Technical Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Hi Philipp

    Sorry for the confusion of the IP-Address. My IP-Address isn't blacklisted. It's not the original address.

    I keep the IP and MAC addresses which are reachable by public secure in community. The original address is green.

    Btw. from the same address i relay another mail account without any problems.

    Thanks
    Wolfgang

  • Hi Emmanuel

    Both of my mail accounts are by a hoster. The redirection is done over the XG Firewall.

    MX XG      Prio 1 WAN(port2)
    MX hoster Prio 2 mail.business.com

    This part works correctly:
    MX XG      Prio 1 WAN(port2)
    MX hoster Prio 2 mail.privat.com

    The flow is:
    Sending a mail (according MX information) to WAN of XG (port2) then mail check and relaying over port2 to hoster (DNS) mail.business.com

    The funny thing is, that exactly this flow works the privat mail domain.

    There is one part, which i think could be problem. But in this case, it wouldn't be possible a smtp-relay with more than one mail domains.
    At the smtp settings i have to declare domain. In my case "privat.com". The HELO will be "privat.com", which isn't the same as "business.com".

    I will send you the access ID, but have to update the MX record first.

    Regards
    Wolfgang

  • Hello Wolfgang,

    Reading your lines several times, I think there is a big confusion about how SMTP works. Even if you have more than one MX record, only one of them is actually used. The other DNS-entries are only tried, if that particular server is offline. So this is not worked through in sequence, the mail is processed by the first MX which is online. And then the Sophos mail-processing is done, the mail is passed to the server you declare "responsible" for your domain in the Sophos settings.

    Regards,

    Philipp

    Mit freundlichem Gruß, Regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

  • Hello Philipp

    You right. Just one is used and exactly this one with the lowest priority. That means the MX record for the XG. I understood that correctly.

    The second one is just for the case if the first one will not response. But that will not happen because the WAN Interface will accept the request. I see all mails in the mail spool / mail logs.

    The problem is, that according to one of the answers by  external-mail-server-secured-over-xg-firewall, which I added as link, more than one mail domains should be relayed.

    "Step5:   Scan and Filter Inbound Emails -> By the SMTP Policy I used my personal domain (private.com) located by my provider. I have also a business domain (business.com).

    By the General settings of the email is only 1 SMTP Hostname possible. I have at least 2. Is it possible to add the second and more to the protected domain list, if I route with MX RECORD?
    "

    Route with MX RECORD didn't work due to this two MX RECORDS. I changed it to DNS Name mail.private.com and it worked. Instead to add the business.com to the protected domain list, I made a second SMTP Policy.

    I would like to send Emmanuel the Access ID but it seems that i have there another problem, because i get just

    Regards
    Wolfgang

  • Hello Wolfgang,

    now I read your other thread about your attempts to get SMTP relaying going with mutliple domains.

    You use Sophos XG as an MTA in this scenario. MTA = Mail Transport Agent.

    This is NOT a complete mailserver, think of it as a mailserver, that has no mailboxes, but receives mail for other servers, which are holding the mailboxes for the final recipients.

    1. This MTA needs an OWN name, of course,  this is "SMTP hostname".

    2. Then you need to tell the MTA which domains it should accept (these could be hundreds).

    3. After accepting mails and doing several checks, the MTA needs to know where to send the mails to, this would be the server holding the mailboxes for his clients. If using the MX records you supplied before, you would create a loop, because you point to your WAN address again. That's the reason why your "DNS hostname" routing succeeded. You have to point to a different server here! "Normally" this would be an internal mailserver at the local LAN-side of the firewall, so you could control the (internal) DNS/MX here. But in your case, where you don't have any mailserver locally, you have to go that way.

    4. After queueing/sending the mail to the final destination server ("Mailbox-Server"), the Sophos-MTA is done.

    5. You pull the mail with your preferred mail-client from your "Mailbox-Server".

    Personally, after receiving with the Sophos MTA, I would consolidate ALL mail-domains to one "Mailbox-Server" (means send all mails to this as target) and use this as the one and only source for my mail-client(s).

    Hope this helps, regards,

    Philipp

    Mit freundlichem Gruß, Regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner