Here in this article we will discuss how to configure outbound email routing through sophos XG firewall.
First step for configuring outbound email is to create firewall rule to allow email traffic from LAN to WAN zone. Login to the sophos XG firewall, click on Rules and Policies and then click on Add firewall rule. Fill up the firewall rule information as shown below
Name: Enter any name for the firewall rule
Rule Position: Keep firewall rule on top, so that it won’t match any drop rules in firewall.
Action: Accept to allow the traffic which is matching this firewall rule
Rule group: Keep it as None.
Source Zone: Select LAN zone, since the traffic is initiating from the LAN zone.
Source Network: Keep it as ANY
Destination Zone: Select WAN zone, since the destination is in the internet
Destination Network: Select ANY
Service: Select email services SMTP, SMTPS and SMTPS_465 which are responsible for sending email
Click on Create Linked NAT rule to NAT this firewall rule traffic and keep translated SNAT to MASQ as shown in below image
Note: In case if you are already having the default SNAT rule to MASQ to reach internet not needed to create linked NAT rule
Once you create linked NAT rule, scroll down to the bottom and then click on scan email content
Select options “scan SMTP” and “scan SMTPS” to scan the emails through sophos XG firewall
Then click on save firewall rule.
Now we have created firewall rule, we need to configure relay settings so that XG firewall will act as a relay to your internal email server for outbound emails.
Login to the sophos XG firewall and click on Administration and then click on Device access tab. Enable SMTP relay in WAN zone as shown in below image
Now click on Email menu and then click on Relay settings in firewall as shown in below image
Under Host Based Relay, select your internal mail server IP address which. If you select the internal mail server IP address, it will use XG firewall as relay for sending outbound emails. Never use ANY in place of Host Based Relay. If we keep it as ANY, any host in the internet can use XG as relay for sending emails which might results in blacklisting firewall public IP address by the ISP.
Now we will configure SMTP security settings in the firewall. Click on Email and General Settings. Fill the following information under SMTP security settings as shown below
SMTP hostname: Enter the outgoing email server hostname, as mentioned this will be used in hello and SMTP greeting settings
Don’t scan emails greater than: If you don’t want to scan any email that is greater than specific size, you can mention it here and in the next field you can also set the action for oversized emails
Reject Based On IP reputation: If we enable this option, it will check the reputation of IP address and if its not trusted IP address firewall will reject it.
SMTP DOS settings: You can also enable DOS settings for the emails passing through the firewall.
Here are the sample settings as shown below
SMTP TLS Configuration:
We need to upload mail server certificate under certificate >> certificates section and then import the correcpoding certificate in SMTP TLS configuration as shown in below image
Disable the invalid certificate option under SMTP TLS configuration
On the same page under advanced settings select scan outgoing emails option to scan all outbound emails which are passing through sophos XG firewal
Hope this article helps you