This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SMTP relay with more than one domain

Hello

I don't know if there is a solution. I placed this question already on the Sophos Email part of this community, but didn't get an answer.

I have to relay two mail accounts with two different domains (mail.private.com, mail.business.com). They are both by the same provider.

I made my first expierences with relaying of the first one and it's working - external-mail-server-secured-over-xg-firewall .

I tried also to integrate the second mail account (mai.business.com) and i got error message. One feedback which i got was that more than one relaying are possible, but the result is an error with a message i don't understand. See also the question I placed at community - smtp-relay-with-two-mail-domains

This message was created automatically by mail delivery software. A message that you sent could not be delivered to one or more of its recipients.
This is a permanent error. The following address(es) failed:
wolfgang@business.com host local.myfirewall.co [180.100.244.237] SMTP error from remote mail server after RCPT TO:<wolfgang@business.com>: 550-Sophos Anti Spam Engine has blocked this Email because the sender IP 550 Address is blacklisted.
---------------------------------------------- message/delivery-status ----------------------------------------------
Reporting-MTA: dns; hos108.unaxus.net Action: failed Final-Recipient: rfc822;wolfgang@business.com
Status: 5.0.0 Remote-MTA: dns; local.myfirewall.co
Diagnostic-Code: smtp; 550-Sophos Anti Spam Engine has blocked this Email because the sender IP 550 Address is blacklisted.
---------------------------------------------- message/rfc822 ----------------------------------------------
Return-path: <wolfgang@protonmail.com>
Received: from [180.100.244.237] (port=60360 helo=privat.com) by hos108.unaxus.net with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.93) (envelope-from <wolfgang@protonmail.com>) id 1kDy1o-00GlD9-7L for wolfgang@business.com; Fri, 04 Sep 2020 00:48:24 +0200
Received: from mail1.protonmail.ch ([180.70.40.18]:25582) by privat.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.91) (envelope-from <wolfgang@protonmail.com>) id 1kDy1h-0001VD-06 for wolfgang@business.com; Fri, 04 Sep 2020 00:48:17 +0200 Date: Thu, 03 Sep 2020 22:47:39 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail; t=1599173266; bh=uidnY6jlxQy6tKVuIn8VjeA4Ly5IH6SAlBKL20lHlJs=; h=Date:To:From:Reply-To:Subject:From; b=MQTvdoWEu9XB8OgwZZmrQreSFSGoXgRLVJpiFNtG3Fz0ZFzMFzT/Lz86S7bemRIA1 1C6COwj617nUhJATi69w4SB3eugf4LR4VNwyxrElaEKi/WxGuNogQZEm7J66o0dIyM fzXgQGcM6WwZsCTlM6vxyaLs3hjWGRncjyYoELMg= To: "wolfgang@business.com" <wolfgang@business.com> From: Wolfgang <wolfgang@protonmail.com> Reply-To: Wolfgang <wolfgang@protonmail.com> Subject: Test MX 4 Message-ID: <2_GdmVwcsGqDz4Wb6COntnJi_INUmHA7o5Il-LOBYzjCDiP1qnYN2OfgQn2NhZnb4RykMiQT2rr5TXyZqZbLICkEnEfWxJU_VHsPJVf-mxM=@protonmail.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="b1_Rt9ltbmJON5cpsiXPpcBQaxEPbLvwAFiT2xYq0eQ" X-Spam-Status: No, score=-1.2 required=10.0 tests=ALL_TRUSTED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE shortcircuit=no autolearn=disabled version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on mailout.protonmail.ch X-Sophos-IBS: success X-CTCH-PVer: 0000001 X-CTCH-Spam: Unknown X-CTCH-VOD: Unknown X-CTCH-Flags: 0 X-CTCH-RefID: str=0001.0A09020A.5F5172B1.00B6:SCFSTAT63089915,ss=1,re=-4.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0 X-CTCH-Score: -4.000 X-CTCH-ScoreCust: 0.000 X-CTCH-Rules: X-Sophos-Firewall: smtpd v1.0 This is a multi-part message in MIME format. --b1_Rt9ltbmJON5cpsiXPpcBQaxEPbLvwAFiT2xYq0eQ Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: base64 ……… Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: base64 PGRpdj48YnI+……….--

Hope someone can help to find a solution.

Thanks
Wolfgang



This thread was automatically locked due to age.
Parents
  • Hello Wolfgang,

    Thank you for contacting the Sophos Community!

    It seems like the XG is blocking the IP, can you create an exception in the Email Protection for this IP 180.100.244.237.

    IF I am reading correctly this was trying to send the email inbound to your server? 

    Can you provide the output of the smtpd_main.log when this issue happens?

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Hi Emmanuel

    The IP 180.100.244.237 is my WAN address (port2)

    Shouldn't be blocked anyway.

    Regards
    Wolfgang

  • Hello Wolfgang,

    Reading your lines several times, I think there is a big confusion about how SMTP works. Even if you have more than one MX record, only one of them is actually used. The other DNS-entries are only tried, if that particular server is offline. So this is not worked through in sequence, the mail is processed by the first MX which is online. And then the Sophos mail-processing is done, the mail is passed to the server you declare "responsible" for your domain in the Sophos settings.

    Regards,

    Philipp

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • Hello Philipp

    You right. Just one is used and exactly this one with the lowest priority. That means the MX record for the XG. I understood that correctly.

    The second one is just for the case if the first one will not response. But that will not happen because the WAN Interface will accept the request. I see all mails in the mail spool / mail logs.

    The problem is, that according to one of the answers by  external-mail-server-secured-over-xg-firewall, which I added as link, more than one mail domains should be relayed.

    "Step5:   Scan and Filter Inbound Emails -> By the SMTP Policy I used my personal domain (private.com) located by my provider. I have also a business domain (business.com).

    By the General settings of the email is only 1 SMTP Hostname possible. I have at least 2. Is it possible to add the second and more to the protected domain list, if I route with MX RECORD?
    "

    Route with MX RECORD didn't work due to this two MX RECORDS. I changed it to DNS Name mail.private.com and it worked. Instead to add the business.com to the protected domain list, I made a second SMTP Policy.

    I would like to send Emmanuel the Access ID but it seems that i have there another problem, because i get just

    Regards
    Wolfgang

  • Hello Wolfgang,

    now I read your other thread about your attempts to get SMTP relaying going with mutliple domains.

    You use Sophos XG as an MTA in this scenario. MTA = Mail Transport Agent.

    This is NOT a complete mailserver, think of it as a mailserver, that has no mailboxes, but receives mail for other servers, which are holding the mailboxes for the final recipients.

    1. This MTA needs an OWN name, of course,  this is "SMTP hostname".

    2. Then you need to tell the MTA which domains it should accept (these could be hundreds).

    3. After accepting mails and doing several checks, the MTA needs to know where to send the mails to, this would be the server holding the mailboxes for his clients. If using the MX records you supplied before, you would create a loop, because you point to your WAN address again. That's the reason why your "DNS hostname" routing succeeded. You have to point to a different server here! "Normally" this would be an internal mailserver at the local LAN-side of the firewall, so you could control the (internal) DNS/MX here. But in your case, where you don't have any mailserver locally, you have to go that way.

    4. After queueing/sending the mail to the final destination server ("Mailbox-Server"), the Sophos-MTA is done.

    5. You pull the mail with your preferred mail-client from your "Mailbox-Server".

    Personally, after receiving with the Sophos MTA, I would consolidate ALL mail-domains to one "Mailbox-Server" (means send all mails to this as target) and use this as the one and only source for my mail-client(s).

    Hope this helps, regards,

    Philipp

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • Hello Philipp

    That's with one Mailbox-Server would be nice, but i don't want mix my private and business mails.

    1. This MTA needs an OWN name, of course,  this is "SMTP hostname".

    If i understand that correctly, we discuss about 3 mail servers within the mail flow:
    1. Sender       any sender smtp
    2. MTA           e.g. mta.com
    3. Receiver    private.com

    My understanding was that the General settings SMTP hostname has to be the receiver hostname e.g. private.com.
    I used at SMTP TLS configuration the certificate from my private.com.

    If i can take e.g. mta.com i have to generate a new certificate for that and it should also work.

    Is that correct?

    Thanks
    Wolfgang

  • No no no. That is not correct.

    The Sophos MTA must not be on a different domain. This can be like mta.private.com or mta.business.com. The hostname is not like private.com, that is a domainname, not a hostname. Hostname could be mx1.private.com or mx2.private.com.

    There is no need for additional certificates.

    Regards,

    Philipp

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • Hello Philipp

    so far so good.

    I changed the SMTP settings and the certificate back to this one which Sophos provided.

    My private.com relay is still working. That means i will check the second mail domain. If i can get it running.

    Thanks
    Wolfgang

  • Hi to all, who followed this discussion.

    After different sessions with the Sophos Support, i got an answer. There must be a bug in the system and i have to place a RMA.

    Regards
    Wolfgang

  • Hello Wolfgang,

    Could you please share the Case ID.

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Hi Emmanuel, the case id was 03136017

    Regards
    Wolfgang

  • Hello Wolfgang,

    Thank you for the Case ID.

    I checked however, it seems like the case covered different issues, but I can see the RMA suggested and after that case will get escalated after you receive the new device.

    However I see the case was closed on Oct 27, but I don't see the RMA, did you actually fill out the RMA form?

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
Reply Children