The purpose of this article is to make sure you get the most out of your new Sophos Email Appliance (SEA) as well as to provide some additional insight into the operations of the appliance.
The following sections are covered:
Applies to the following Sophos products and versionsSophos Email Appliance
In regards to DNS and routing the normal mail flow should look something like: MX Record, contains A records for Pub IP's >> firewall >> port forward port 25 to appliance.
Load balancer consideration: If you use a hardware load balancer, ensure that it is configured to allow the MTA connection and not strip-off / re-write the external IP addresses. Otherwise your spam catch rate will be abysmal as every mail will appear to be from external domain, with an internal IP address.
It is recommended to use DNS load balancing. It’s free, easy to configure and there is no reason to spend a time on a load balancer or consume its resources.
Cloud configuration: If you have O365 or similar, it is recommended to use the exact same routing in DNS as shown above, with O365 configured as the downstream relay. Configure O365 to deliver to the appliance as well. This will allow you to take advantage of all of the appliance abilities such as SPX encryption, batv, delay queue, etc.
Dual spam appliances: Normally having more than one spam product is not recommended for a number of reasons; company A may see a message as 17% and company B as 55%. In addition, now you have two quarantines and in general it causes a headache. However if you do make sure that ANY upstream email product that is receiving mail upstream and delivering it to the appliance is listed as a Trusted Relay. Trusted relays are ignored when checking spam, RDNS and similar checking. (see routing for more information)
Subsequent section of this article will detail all of the configurable features, some basic rules and considerations when making rules for SEA.
Note: Not every menu will be covered in this section. If it is not listed, chances are you do not need to worry about it.
There are two types of administrators:
It is a prerequisite to configure Software engine updates.
This screen shows information of Installed software engine number as below format:
535000 is the antivirus version number
.0250 revision number
1507 time of release
Note: Always ensure that the AV updates have today's date on them.
Another section shows Software Engine, which is the appliance firmware version; you can manually apply updates, configure a window with the scheduler or disable updates.
Email: Local alert contacts are email addresses where all alerts will be sent.
Postmaster email: This is the address that will be shown in all bounce related messages, or message/dialog emails such as the digest.
Support: Configure appliance non-critical and critical alerts.
SNMP Monitoring: This is a method where the customer can download the MIB package and export alerts to their SMNP server. All of the critical alerts are listed. Simply download the XML file and have a look to see what is covered.
Syslog: It is recommended to export the logs to a syslog server, so you have a copy of the actual mail logs. The SEA will scrape the mail log and populate it to the database after a month the original logs are destroyed.
Ensure you use the backup option, it will be impossible to recreate your configuration if your appliance croaks. If you have a current system back up at worst it can be re-applied to the appliance by calling support.
It is not required to back up the quarantine, but it is recommended to back up system logs.
For the most part the defaults should work, however if you have a complex directory services you may need an ad query tool to export the correct layout.
Active Directory Explorer
Configuring AD will allow your users to log in and release spam, enable postfix to create validation lists and allow you to configure rules on a per user/group basis.
See the ? at the top right of the dialog box for more information on AD.
Note: AD configuration can be different with every organization, the default will simply pull the primary SMTP address. If you have specific needs you will need to create and test your own query string.
The 99.9% of mail servers do not require valid TLS certificates; therefore the self-signed one is usually fine. In the case of .mil or similar, they will require validation. In that case generate a CSR from the appliance and submit the request to your CA. Then upload the results into the appliance (ensure there are no extra spaces, line feeds or similar, or it will be invalid).
If you absolutely have to assemble your own certificate ONLY USE .PEM format, AKA Apache
Convert formats of certificate
Open notepad and select a new document. From there you must cut/paste all of the parts of the certificate exactly as described below. Note that you need to cut/paste each part in the correct order or the certificate will fail to import.
Sites such as SSLShopper may help you chain your certificate.
- - - - - BEGIN RSA PRIVATE KEY - - - - -
This is your private key, you should never give it to anyone or let anyone see any part of it.
Why? Because anyone with your private key can packet capture and decrypt any piece of information it was used to encrypt with.
- - - - - END RSA PRIVATE KEY - - - - -
- - - - - BEGIN CERTIFICATE - - - - -
This is the common public key that your provider got, chances are if you got a go daddy cert this is the whole reason.
You have to convert it, because they won’t give you certificates in clear text formats.
- - - - - END CERTIFICATE - - - - -
After these 2 parts, the next parts are the intermediate CA's. In order to complete the certificate correctly you must include all of the CA's.
In most cases they will provide you with 3 CA's, each one is separated with the same.
- - - - - BEGIN CERTIFICATE - - - - - -
Once the certificate chain is complete, save it to your desktop and scroll down to Part 5.
Important: There should be no spaces/line feeds, or any extra spaces.
Note: If you submitted the CSR from the appliance do not include the private key.
-----BEGIN RSA PRIVATE KEY-----
When you have multiple SEAs, then first SEA will become the cluster master. For example, you have SEA 192.168.1.1 and SEA 192.168.1.2. if you log into .2 and cluster into .1, then .1 will become the master that you cluster in to all the time.
Note: All cluster members must be on the same version. It is recommended to complete the installation process with new appliances and getting it fully up and running.
These services are typically used for connections between your SEA and locations outside of your organization's network.
These services are typically used for connections within your organization's network and your SEAs, or between multiple SEAs.
Clustered members can be located anywhere, but they require access to all of the required ports for programs, ie 8888 and 5432 etc.
To replace a cluster member:
Always make sure NTP is configured, AD will reject anything +/- 3-5 mins. This also tells the appliance how many hours to adjust the logs to (all logs are in UTC).
Configuration sync is for UNIX environments (or similar with NO AD) who wish to add SMTP addresses to the SEA manually. Have a look at the linked documentation. It is not recommended to perform this sync.
These should be your downstream servers. You will generally only require a single set however if you accept mail for multiple domains and route mail accordingly. You may have several groups or servers listed.
In order to assign a mail group you will need to configure your mail domains. i.e.: accept mail for abc.com and send to server group 1, accept mail for xyz and send to server group 2, etc.
Mail delivery servers are mandatory.
Identify the domains used to accept mail for, then assign the delivery server to it. You can do TLD’s or subdomains or any combination of the two. Just make a separate entry for each and assign it accordingly.
Mail domains are mandatory.
Contrary to the name, any IP range can be listed here. This tells the appliance who it is allowed to accept mail FROM. The hosts listed will assume that mail will be delivered to the internet.
Anything listed here should be set up to anonymously relay mail.
Internal mail hosts are mandatory. (If you wish to relay outbound mail through the appliance.)
A trusted relay is a trusted mail source that should be exempt from spam scanning, DNS look ups and only used if necessary.
By default the vast majority of configurations will not need any trusted relays listed.
Before adding any trusted relays make sure you consult the full documentation listed here:
This can be used to convert one address to another; generally you will never see this as most of the times alias set by users are split at the exchange level.
Using network interface, you can set your speed/duplex to match your port. It is not recommended to set it automatic.
Note: Re-register devices is a requirement for a cloned device. It is not recommended to clone devices as it is just as fast to deploy a new SEA. In turn this will create a unique SEA with proper SSL keys and will cause less issues with databases entries and a whole range of other issues.
Clones should be an absolute last option.
Your FQDN should match exactly to say your certificates. It’s also good to make sure that it can be resolved.
This is important because remote mail servers will RDNS your connections, having a host name that does not match is poor configuration.