Sophos XGS: How to configure Email Protection with MTA mode on Sophos XGS to protect Email server

Overview

The artile guides to configure the Email Protection feature on the Sophos XGS firewall to protect the internal Email server system against malware, spam and mail filtering with MTA (Mail Transfer Agent) mode

In MTA mode, Sophos will take care of routing emails between Internet and email servers

The MX record of the email server must point to the WAN port of Sophos XGS

Diagram

Configuration steps

  • Create hosts for 2 email servers
  • Create domain for mail on Sophos XGS
  • Enable MTA mode of Email protection
  • Configure allow and protect email going from the Internet to internal (inbound)
  • Configure allow for mail from internal to Internet (outbound)
  • Configure SMTP protocol security settings

How to configure

Create hosts for 2 email servers

  • Go to SYSTEM -> Choose Hosts and services -> Choose IP host -> Click Add
  • Enter name
  • In IP version: Choose IPv4
  • In Type: Choose IP
  • In IP address: Enter 2 IP addresses of servers

Create domain for mail on Sophos XGS

  • Go to PROTECT -> Choose Email -> Choose Address group -> Click Add
  • Enter name
  • In Group type: Choose Email address/domain
  • In Type: Choose Manual
  • In Email address(es)/domain(s): Enter domain

Enable MTA mode of Email protection

  • Go to PROTECTION -> Choose Email -> Choose General settings -> Click Switch to MTA mode if in Lagacy mode, otherwise keep it

Configure allow and protect email going from the Internet to internal (inbound)

  • Go to PROTECT -> Choose Email -> Choose Policies and exceptions -> Click Add a policy -> Choose SMTP route & scan
  • Enter name for SMTP policy
  • In Protected domain: Choose domain
  • In Route by: Choose Static host
  • In Host list: Choose 2 host email server
  • Enable Spam protection and keep default config
  • Enalbe Malware protection and keep default config
  • Can enable 2 features File protection and Data protection if you want
  • Click Save

Configure allow for mail from internal to Internet (outbound)

  • Go to SYSTEM -> Choose Administration -> Choose Device access -> Tick in SMTP Relay in WAN -> Click Apply
  • Go to PROTECT -> Choose Email -> Choose Relay settings
  • In Allow relay from hosts/networks: Choose 2 host email server
  • Click Apply

Configure SMTP protocol security settings

  • Go to PROTECT -> Choose Email -> Choose General settings -> Go to SMTP settings
  • In SMTP hostname: Enter STMP hostname
  • Choose Reject based on IP reputation to block mail from unstrusted IPs
  • Choose SMTP Dos settings and keep the default config to prevent interception attacks
  • In TLS certificate: Choose certificate of your email server uploaded to Sophos XGS (recommend) or use the default Sophos certificate (see instructions for uploading a certificate below)
  • Untick in Allow invalid certificate
  • Keep default config
  • Click Apply

** Intructions for adding certificate on Sophos XGS

  • Go to SYSTEM -> Choose Certificates -> Choose Certificates -> Click Add
  • Enter name
  • Upload file certficate and file key
  • Click Save

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.