I don't know if there is a solution. I placed this question already on the Sophos Email part of this community, but didn't get an answer.
I have to relay two mail accounts with two different domains (mail.private.com, mail.business.com). They are both by the same provider.
I made my first expierences with relaying of the first one and it's working - external-mail-server-secured-over-xg-firewall .
I tried also to integrate the second mail account (mai.business.com) and i got error message. One feedback which i got was that more than one relaying are possible, but the result is an error with a message i don't understand. See also the question I placed at community - smtp-relay-with-two-mail-domains
This message was created automatically by mail delivery software. A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed: firstname.lastname@example.org host local.myfirewall.co [220.127.116.11] SMTP error from remote mail server after RCPT TO:<email@example.com>: 550-Sophos Anti Spam Engine has blocked this Email because the sender IP 550 Address is blacklisted. ---------------------------------------------- message/delivery-status ---------------------------------------------- Reporting-MTA: dns; hos108.unaxus.net Action: failed Final-Recipient: rfc822;firstname.lastname@example.org Status: 5.0.0 Remote-MTA: dns; local.myfirewall.co Diagnostic-Code: smtp; 550-Sophos Anti Spam Engine has blocked this Email because the sender IP 550 Address is blacklisted. ---------------------------------------------- message/rfc822 ---------------------------------------------- Return-path: <email@example.com> Received: from [18.104.22.168] (port=60360 helo=privat.com) by hos108.unaxus.net with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.93) (envelope-from <firstname.lastname@example.org>) id 1kDy1o-00GlD9-7L for email@example.com; Fri, 04 Sep 2020 00:48:24 +0200 Received: from mail1.protonmail.ch ([22.214.171.124]:25582) by privat.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.91) (envelope-from <firstname.lastname@example.org>) id 1kDy1h-0001VD-06 for email@example.com; Fri, 04 Sep 2020 00:48:17 +0200 Date: Thu, 03 Sep 2020 22:47:39 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail; t=1599173266; bh=uidnY6jlxQy6tKVuIn8VjeA4Ly5IH6SAlBKL20lHlJs=; h=Date:To:From:Reply-To:Subject:From; b=MQTvdoWEu9XB8OgwZZmrQreSFSGoXgRLVJpiFNtG3Fz0ZFzMFzT/Lz86S7bemRIA1 1C6COwj617nUhJATi69w4SB3eugf4LR4VNwyxrElaEKi/WxGuNogQZEm7J66o0dIyM fzXgQGcM6WwZsCTlM6vxyaLs3hjWGRncjyYoELMg= To: "firstname.lastname@example.org" <email@example.com> From: Wolfgang <firstname.lastname@example.org> Reply-To: Wolfgang <email@example.com> Subject: Test MX 4 Message-ID: <2_GdmVwcsGqDz4Wb6COntnJi_INUmHA7o5Il-LOBYzjCDiP1qnYN2OfgQn2NhZnb4RykMiQT2rr5TXyZqZbLICkEnEfWxJU_VHsPJVf-mxMfirstname.lastname@example.org> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="b1_Rt9ltbmJON5cpsiXPpcBQaxEPbLvwAFiT2xYq0eQ" X-Spam-Status: No, score=-1.2 required=10.0 tests=ALL_TRUSTED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE shortcircuit=no autolearn=disabled version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on mailout.protonmail.ch X-Sophos-IBS: success X-CTCH-PVer: 0000001 X-CTCH-Spam: Unknown X-CTCH-VOD: Unknown X-CTCH-Flags: 0 X-CTCH-RefID: str=0001.0A09020A.5F5172B1.00B6:SCFSTAT63089915,ss=1,re=-4.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0 X-CTCH-Score: -4.000 X-CTCH-ScoreCust: 0.000 X-CTCH-Rules: X-Sophos-Firewall: smtpd v1.0 This is a multi-part message in MIME format. --b1_Rt9ltbmJON5cpsiXPpcBQaxEPbLvwAFiT2xYq0eQ Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: base64 ……… Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: base64 PGRpdj48YnI+……….--
Hope someone can help to find a solution.
Thank you for contacting the Sophos Community!
It seems like the XG is blocking the IP, can you create an exception in the Email Protection for this IP 126.96.36.199.
IF I am reading correctly this was trying to send the email inbound to your server?
Can you provide the output of the smtpd_main.log when this issue happens?
The IP 188.8.131.52 is my WAN address (port2)
Shouldn't be blocked anyway.
Your assumption is not correct: you are blacklisted with this IP:
Have a look yourself: https://mxtoolbox.com/Problem/Blacklist/UCEPROTECTL3/?page=prob_blacklist&ip=184.108.40.206&link=button&action=blacklist:220.127.116.11&showLogin=1&hidetoc=1&reason=127.0.0.2
Mit freundlichem Gruß, Regards from Germany,
New Vision GmbH, GermanySophos Silver-Partner
Thank you for the follow-up.
I do see your public IP is blacklisted so that for sure will cause some issues.
However, I don't understand how you are testing the email flow.
Do you have both domains behind the XG and you are sending from Domain1 to Domain2 (Both of them behind the XG) to test this?
If you are ok I would like to check your configuration, can you enable Support Access in your device and send me the Access ID by PM.
Monitor & Analize >> Diagnostics >> Support Access >> ON >> Access Status >> And copy & paste the Access ID and send it to me.
Sorry for the confusion of the IP-Address. My IP-Address isn't blacklisted. It's not the original address.
I keep the IP and MAC addresses which are reachable by public secure in community. The original address is green.
Btw. from the same address i relay another mail account without any problems.
Both of my mail accounts are by a hoster. The redirection is done over the XG Firewall.
MX XG Prio 1 WAN(port2)MX hoster Prio 2 mail.business.com
This part works correctly:MX XG Prio 1 WAN(port2)MX hoster Prio 2 mail.privat.com
The flow is:Sending a mail (according MX information) to WAN of XG (port2) then mail check and relaying over port2 to hoster (DNS) mail.business.com
The funny thing is, that exactly this flow works the privat mail domain.
There is one part, which i think could be problem. But in this case, it wouldn't be possible a smtp-relay with more than one mail domains.At the smtp settings i have to declare domain. In my case "privat.com". The HELO will be "privat.com", which isn't the same as "business.com".
I will send you the access ID, but have to update the MX record first.
Reading your lines several times, I think there is a big confusion about how SMTP works. Even if you have more than one MX record, only one of them is actually used. The other DNS-entries are only tried, if that particular server is offline. So this is not worked through in sequence, the mail is processed by the first MX which is online. And then the Sophos mail-processing is done, the mail is passed to the server you declare "responsible" for your domain in the Sophos settings.
You right. Just one is used and exactly this one with the lowest priority. That means the MX record for the XG. I understood that correctly.
The second one is just for the case if the first one will not response. But that will not happen because the WAN Interface will accept the request. I see all mails in the mail spool / mail logs.
The problem is, that according to one of the answers by external-mail-server-secured-over-xg-firewall, which I added as link, more than one mail domains should be relayed.
"Step5: Scan and Filter Inbound Emails -> By the SMTP Policy I used my personal domain (private.com) located by my provider. I have also a business domain (business.com). By the General settings of the email is only 1 SMTP Hostname possible. I have at least 2. Is it possible to add the second and more to the protected domain list, if I route with MX RECORD?"
Route with MX RECORD didn't work due to this two MX RECORDS. I changed it to DNS Name mail.private.com and it worked. Instead to add the business.com to the protected domain list, I made a second SMTP Policy.
I would like to send Emmanuel the Access ID but it seems that i have there another problem, because i get just
now I read your other thread about your attempts to get SMTP relaying going with mutliple domains.
You use Sophos XG as an MTA in this scenario. MTA = Mail Transport Agent.
This is NOT a complete mailserver, think of it as a mailserver, that has no mailboxes, but receives mail for other servers, which are holding the mailboxes for the final recipients.
1. This MTA needs an OWN name, of course, this is "SMTP hostname".
2. Then you need to tell the MTA which domains it should accept (these could be hundreds).
3. After accepting mails and doing several checks, the MTA needs to know where to send the mails to, this would be the server holding the mailboxes for his clients. If using the MX records you supplied before, you would create a loop, because you point to your WAN address again. That's the reason why your "DNS hostname" routing succeeded. You have to point to a different server here! "Normally" this would be an internal mailserver at the local LAN-side of the firewall, so you could control the (internal) DNS/MX here. But in your case, where you don't have any mailserver locally, you have to go that way.
4. After queueing/sending the mail to the final destination server ("Mailbox-Server"), the Sophos-MTA is done.
5. You pull the mail with your preferred mail-client from your "Mailbox-Server".
Personally, after receiving with the Sophos MTA, I would consolidate ALL mail-domains to one "Mailbox-Server" (means send all mails to this as target) and use this as the one and only source for my mail-client(s).
Hope this helps, regards,
That's with one Mailbox-Server would be nice, but i don't want mix my private and business mails.
jprusch said:1. This MTA needs an OWN name, of course, this is "SMTP hostname".
If i understand that correctly, we discuss about 3 mail servers within the mail flow:1. Sender any sender smtp2. MTA e.g. mta.com3. Receiver private.com
My understanding was that the General settings SMTP hostname has to be the receiver hostname e.g. private.com.I used at SMTP TLS configuration the certificate from my private.com.
If i can take e.g. mta.com i have to generate a new certificate for that and it should also work.
Is that correct?
No no no. That is not correct.
The Sophos MTA must not be on a different domain. This can be like mta.private.com or mta.business.com. The hostname is not like private.com, that is a domainname, not a hostname. Hostname could be mx1.private.com or mx2.private.com.
There is no need for additional certificates.
so far so good.
I changed the SMTP settings and the certificate back to this one which Sophos provided.
My private.com relay is still working. That means i will check the second mail domain. If i can get it running.