Best practice for mail scanning rule MTA


I just started using the MTA on our Sophos XG, and it seems to work fine, however we have some quirks.


We use an external spamfilter (SpamExperts) which delivers the mails to the Sophos, so for the upstream server I only selected the IP's used by the SpamExperts service, this works as all others trying to deliver mail get rejected. On the outbound side we only use our Exchange server which is setup under host based relay.


Above works, but blocks services like gmail or hotmail to send mail from a phone. 

I cloned the auto created rule and changed some things, see attached printscreens. Is this the correct way to do this?


  • Hi,

    what ports are you sending from? That rule does not cover port 587 in the current version of XG.

    Do your phones have the CA installed otherwise they will not be able to connect.