Sorry for the delay in the answer, it took us much longer than expected to verify our answers.

For your first question, the help page is correct. “Any” won’t work for a specific upstream host.
To use a smarthost, ideally, you need to use the Smarthost settings on Email > General settings.

For your second question, nslookup should work. If you still experience issues, we advise you to post on the dedicated Sophos Firewall Discussion board on Our community members should be able to help you resolve your problem.

Improvements kb article "Set up Microsoft Office 365 with Sophos Firewall"


I wanted to suggest some improvements for the article Setup up Microsoft Office 365 with Sophos Firewall : 

7. Relay Settings:

Putting "Any" into the box "Upstream Host" -> "Allow Relay from Host/Network" will NOT let you send mails to a smarthost. With "Any" everytime the firewall tries to send to the configured smarthost, it fails. As soon as I got rid of the smarthost, mails are being sent succesfully. However: if I delete "Any" and put the DNS-Name or IP-Adress of the smarthost and then configure a smarthost, it works perfectly fine.

9. Policies:

When trying to get any info out of the command "nslookup -q=MX <domain>" it never showed any IP-Adress for the mx record (for me at least). Even when i resolved the name to an ip-address using a different service, creating a host and selecting it for mails to be routed to the ip-address, it wouldn't work for me. Afterwards i created a policy for every domain each with the option "Route by" -> "Dns-Host" -> "mx-record from M365" , which again worked perfectly fine.

