Register Now


Lost Password

Lost your password? Please enter your email address. You will receive a link and will create a new password via email.

How To Configure Outbound Email Routing In Sophos XG

Here in this article we will discuss how to configure outbound email routing through sophos XG firewall.

First step for configuring outbound email is to create firewall rule to allow email traffic from LAN to WAN zone. Login to the sophos XG firewall, click on Rules and Policies and then click on Add firewall rule. Fill up the firewall rule information as shown below


Name: Enter any name for the firewall rule

Rule Position: Keep firewall rule on top, so that it won’t match any drop rules in firewall.

Action: Accept to allow the traffic which is matching this firewall rule

Rule group: Keep it as None.

Source Zone: Select LAN zone, since the traffic is initiating from the LAN zone.

Source Network: Keep it as ANY

Destination Zone: Select WAN zone, since the destination is in the internet

Destination Network: Select ANY

Service: Select email services SMTP, SMTPS and SMTPS_465 which are responsible for sending email

firewall rule
Firewall Rule

Click on Create Linked NAT rule to NAT this firewall rule traffic and keep translated SNAT to MASQ as shown in below image

linked nat rule
Linked NAT rule

Note: In case if you are already having the default SNAT rule to MASQ to reach internet not needed to create linked NAT rule

Once you create linked NAT rule, scroll down to the bottom and then click on scan email content

scan smtp
Scan email content

Select options “scan SMTP” and “scan SMTPS” to scan the emails through sophos XG firewall

Then click on save firewall rule.


Now we have created firewall rule, we need to configure relay settings so that XG firewall will act as a relay to your internal email server for outbound emails.

Login to the sophos XG firewall and click on Administration and then click on Device access tab. Enable SMTP relay in WAN zone as shown in below image

smtp relay enable
SMTP relay

Now click on Email menu and then click on Relay settings in firewall as shown in below image

relay settings
Relay Settings

Under Host Based Relay, select your internal mail server IP address which. If you select the internal mail server IP address, it will use XG firewall as relay for sending outbound emails. Never use ANY in place of Host Based Relay. If we keep it as ANY, any host in the internet can use XG as relay for sending emails which might results in blacklisting firewall public IP address by the ISP.

Host based relay
Host Based Relay


Now we will configure SMTP security settings in the firewall. Click on Email and General Settings. Fill the following information under SMTP security settings as shown below

SMTP hostname: Enter the outgoing email server hostname, as mentioned this will be used in hello and SMTP greeting settings

Don’t scan emails greater than: If you don’t want to scan any email that is greater than specific size, you can mention it here and in the next field you can also set the action for oversized emails

Reject Based On IP reputation: If we enable this option, it will check the reputation of IP address and if its not trusted IP address firewall will reject it.

SMTP DOS settings: You can also enable DOS settings for the emails passing through the firewall.

Here are the sample settings as shown below

SMTP security settings
SMTP security settings

SMTP TLS Configuration:

We need to upload mail server certificate under certificate >> certificates section and then import the correcpoding certificate in SMTP TLS configuration as shown in below image

Disable the invalid certificate option under SMTP TLS configuration

smtp tls configuration
SMTP TLS configuration

On the same page under advanced settings select scan outgoing emails option to scan all outbound emails which are passing through sophos XG firewal

scan outgoing emsils
Scan outbound emails

Hope this article helps you