SMTP relay with more than one domain

Hello

I don't know if there is a solution. I placed this question already on the Sophos Email part of this community, but didn't get an answer.

I have to relay two mail accounts with two different domains (mail.private.com, mail.business.com). They are both by the same provider.

I made my first expierences with relaying of the first one and it's working - external-mail-server-secured-over-xg-firewall .

I tried also to integrate the second mail account (mai.business.com) and i got error message. One feedback which i got was that more than one relaying are possible, but the result is an error with a message i don't understand. See also the question I placed at community - smtp-relay-with-two-mail-domains

This message was created automatically by mail delivery software. A message that you sent could not be delivered to one or more of its recipients.
This is a permanent error. The following address(es) failed:
wolfgang@business.com host local.myfirewall.co [180.100.244.237] SMTP error from remote mail server after RCPT TO:<wolfgang@business.com>: 550-Sophos Anti Spam Engine has blocked this Email because the sender IP 550 Address is blacklisted.
---------------------------------------------- message/delivery-status ----------------------------------------------
Reporting-MTA: dns; hos108.unaxus.net Action: failed Final-Recipient: rfc822;wolfgang@business.com
Status: 5.0.0 Remote-MTA: dns; local.myfirewall.co
Diagnostic-Code: smtp; 550-Sophos Anti Spam Engine has blocked this Email because the sender IP 550 Address is blacklisted.
---------------------------------------------- message/rfc822 ----------------------------------------------
Return-path: <wolfgang@protonmail.com>
Received: from [180.100.244.237] (port=60360 helo=privat.com) by hos108.unaxus.net with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.93) (envelope-from <wolfgang@protonmail.com>) id 1kDy1o-00GlD9-7L for wolfgang@business.com; Fri, 04 Sep 2020 00:48:24 +0200
Received: from mail1.protonmail.ch ([180.70.40.18]:25582) by privat.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.91) (envelope-from <wolfgang@protonmail.com>) id 1kDy1h-0001VD-06 for wolfgang@business.com; Fri, 04 Sep 2020 00:48:17 +0200 Date: Thu, 03 Sep 2020 22:47:39 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail; t=1599173266; bh=uidnY6jlxQy6tKVuIn8VjeA4Ly5IH6SAlBKL20lHlJs=; h=Date:To:From:Reply-To:Subject:From; b=MQTvdoWEu9XB8OgwZZmrQreSFSGoXgRLVJpiFNtG3Fz0ZFzMFzT/Lz86S7bemRIA1 1C6COwj617nUhJATi69w4SB3eugf4LR4VNwyxrElaEKi/WxGuNogQZEm7J66o0dIyM fzXgQGcM6WwZsCTlM6vxyaLs3hjWGRncjyYoELMg= To: "wolfgang@business.com" <wolfgang@business.com> From: Wolfgang <wolfgang@protonmail.com> Reply-To: Wolfgang <wolfgang@protonmail.com> Subject: Test MX 4 Message-ID: <2_GdmVwcsGqDz4Wb6COntnJi_INUmHA7o5Il-LOBYzjCDiP1qnYN2OfgQn2NhZnb4RykMiQT2rr5TXyZqZbLICkEnEfWxJU_VHsPJVf-mxM=@protonmail.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="b1_Rt9ltbmJON5cpsiXPpcBQaxEPbLvwAFiT2xYq0eQ" X-Spam-Status: No, score=-1.2 required=10.0 tests=ALL_TRUSTED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE shortcircuit=no autolearn=disabled version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on mailout.protonmail.ch X-Sophos-IBS: success X-CTCH-PVer: 0000001 X-CTCH-Spam: Unknown X-CTCH-VOD: Unknown X-CTCH-Flags: 0 X-CTCH-RefID: str=0001.0A09020A.5F5172B1.00B6:SCFSTAT63089915,ss=1,re=-4.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0 X-CTCH-Score: -4.000 X-CTCH-ScoreCust: 0.000 X-CTCH-Rules: X-Sophos-Firewall: smtpd v1.0 This is a multi-part message in MIME format. --b1_Rt9ltbmJON5cpsiXPpcBQaxEPbLvwAFiT2xYq0eQ Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: base64 ……… Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: base64 PGRpdj48YnI+……….--

Hope someone can help to find a solution.

Thanks
Wolfgang

Parents
  • Hello Wolfgang,

    Thank you for contacting the Sophos Community!

    It seems like the XG is blocking the IP, can you create an exception in the Email Protection for this IP 180.100.244.237.

    IF I am reading correctly this was trying to send the email inbound to your server? 

    Can you provide the output of the smtpd_main.log when this issue happens?

    Regards,


     
    Emmanuel (EmmoSophos)
    Community Support Engineer | Sophos Technical Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Hi Emmanuel

    The IP 180.100.244.237 is my WAN address (port2)

    Shouldn't be blocked anyway.

    Regards
    Wolfgang

  • Mit freundlichem Gruß, Regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

  • Hello Wolfgan,

    Thank you for the follow-up.

    I do see your public IP is blacklisted so that for sure will cause some issues.

    However, I don't understand how you are testing the email flow.

    Do you have both domains behind the XG and you are sending from Domain1 to Domain2 (Both of them behind the XG) to test this?

    If you are ok I would like to check your configuration, can you enable Support Access in your device and send me the Access ID by PM.

    Monitor & Analize >> Diagnostics >> Support Access >> ON >> Access Status >> And copy & paste the Access ID and send it to me.

    Regards,


     
    Emmanuel (EmmoSophos)
    Community Support Engineer | Sophos Technical Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Hi Philipp

    Sorry for the confusion of the IP-Address. My IP-Address isn't blacklisted. It's not the original address.

    I keep the IP and MAC addresses which are reachable by public secure in community. The original address is green.

    Btw. from the same address i relay another mail account without any problems.

    Thanks
    Wolfgang

  • Hi Emmanuel

    Both of my mail accounts are by a hoster. The redirection is done over the XG Firewall.

    MX XG      Prio 1 WAN(port2)
    MX hoster Prio 2 mail.business.com

    This part works correctly:
    MX XG      Prio 1 WAN(port2)
    MX hoster Prio 2 mail.privat.com

    The flow is:
    Sending a mail (according MX information) to WAN of XG (port2) then mail check and relaying over port2 to hoster (DNS) mail.business.com

    The funny thing is, that exactly this flow works the privat mail domain.

    There is one part, which i think could be problem. But in this case, it wouldn't be possible a smtp-relay with more than one mail domains.
    At the smtp settings i have to declare domain. In my case "privat.com". The HELO will be "privat.com", which isn't the same as "business.com".

    I will send you the access ID, but have to update the MX record first.

    Regards
    Wolfgang

  • Hello Wolfgang,

    Reading your lines several times, I think there is a big confusion about how SMTP works. Even if you have more than one MX record, only one of them is actually used. The other DNS-entries are only tried, if that particular server is offline. So this is not worked through in sequence, the mail is processed by the first MX which is online. And then the Sophos mail-processing is done, the mail is passed to the server you declare "responsible" for your domain in the Sophos settings.

    Regards,

    Philipp

    Mit freundlichem Gruß, Regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

  • Hello Philipp

    You right. Just one is used and exactly this one with the lowest priority. That means the MX record for the XG. I understood that correctly.

    The second one is just for the case if the first one will not response. But that will not happen because the WAN Interface will accept the request. I see all mails in the mail spool / mail logs.

    The problem is, that according to one of the answers by  external-mail-server-secured-over-xg-firewall, which I added as link, more than one mail domains should be relayed.

    "Step5:   Scan and Filter Inbound Emails -> By the SMTP Policy I used my personal domain (private.com) located by my provider. I have also a business domain (business.com).

    By the General settings of the email is only 1 SMTP Hostname possible. I have at least 2. Is it possible to add the second and more to the protected domain list, if I route with MX RECORD?
    "

    Route with MX RECORD didn't work due to this two MX RECORDS. I changed it to DNS Name mail.private.com and it worked. Instead to add the business.com to the protected domain list, I made a second SMTP Policy.

    I would like to send Emmanuel the Access ID but it seems that i have there another problem, because i get just

    Regards
    Wolfgang

  • Hello Wolfgang,

    now I read your other thread about your attempts to get SMTP relaying going with mutliple domains.

    You use Sophos XG as an MTA in this scenario. MTA = Mail Transport Agent.

    This is NOT a complete mailserver, think of it as a mailserver, that has no mailboxes, but receives mail for other servers, which are holding the mailboxes for the final recipients.

    1. This MTA needs an OWN name, of course,  this is "SMTP hostname".

    2. Then you need to tell the MTA which domains it should accept (these could be hundreds).

    3. After accepting mails and doing several checks, the MTA needs to know where to send the mails to, this would be the server holding the mailboxes for his clients. If using the MX records you supplied before, you would create a loop, because you point to your WAN address again. That's the reason why your "DNS hostname" routing succeeded. You have to point to a different server here! "Normally" this would be an internal mailserver at the local LAN-side of the firewall, so you could control the (internal) DNS/MX here. But in your case, where you don't have any mailserver locally, you have to go that way.

    4. After queueing/sending the mail to the final destination server ("Mailbox-Server"), the Sophos-MTA is done.

    5. You pull the mail with your preferred mail-client from your "Mailbox-Server".

    Personally, after receiving with the Sophos MTA, I would consolidate ALL mail-domains to one "Mailbox-Server" (means send all mails to this as target) and use this as the one and only source for my mail-client(s).

    Hope this helps, regards,

    Philipp

    Mit freundlichem Gruß, Regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

  • Hello Philipp

    That's with one Mailbox-Server would be nice, but i don't want mix my private and business mails.

    1. This MTA needs an OWN name, of course,  this is "SMTP hostname".

    If i understand that correctly, we discuss about 3 mail servers within the mail flow:
    1. Sender       any sender smtp
    2. MTA           e.g. mta.com
    3. Receiver    private.com

    My understanding was that the General settings SMTP hostname has to be the receiver hostname e.g. private.com.
    I used at SMTP TLS configuration the certificate from my private.com.

    If i can take e.g. mta.com i have to generate a new certificate for that and it should also work.

    Is that correct?

    Thanks
    Wolfgang

  • No no no. That is not correct.

    The Sophos MTA must not be on a different domain. This can be like mta.private.com or mta.business.com. The hostname is not like private.com, that is a domainname, not a hostname. Hostname could be mx1.private.com or mx2.private.com.

    There is no need for additional certificates.

    Regards,

    Philipp

    Mit freundlichem Gruß, Regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

Reply
  • No no no. That is not correct.

    The Sophos MTA must not be on a different domain. This can be like mta.private.com or mta.business.com. The hostname is not like private.com, that is a domainname, not a hostname. Hostname could be mx1.private.com or mx2.private.com.

    There is no need for additional certificates.

    Regards,

    Philipp

    Mit freundlichem Gruß, Regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

Children