We'd love to hear about it! Click here to go to the product suggestion community
Good day. I'd like to setup my Sophos XG 17 with MTA mail protection, but I have problems with outbound email.
To simplify, I need to bypass sophos MTA engine for outbound emails, because my internal SMTP (exchange) should delivery using particular Sender Based Routing Policy, towards different public Smart Host (different public smtp, i.e. Google, Microsoft, and so on, based on public email account).
When using MTA mode, actually the firewall acts as SMTP server, and intercept LAN all traffic towards public smtp, and the tries to relay.
In Sophos I see I can use only 1 smart host with MTA mode, and if I don't use the smart host option, the firewall tries to delivery directly to destination smtp, by querying public mx records (I suppose).
I can bypass the problem using Sophos in legagy mode, to let internal SMTP talking directly with public SMTPs, but spam/malware filtering for inbound is not working properly, and I can't see email logs in dashboard, that's why I'd like to stay on MTA mode.
Hi Andrea Gumirato It would be great if you could share more details on your mail server traffic, where is your external and Internal server is hosted and how they communicate through XG.Please also refer to the article - https://community.sophos.com/kb/en-us/127611
In reply to Keyur:
Hi, here's my actual email flow. Actually Sophos XG is between Exchange and Internet, and intercepts outbound smtp traffic towards public relays, and that's the issue with MTA service.
Actually my local exchange should talk directly with public SMTP, and not with firewall, because there it's impossible to relay based on email sender address.
In reply to Andrea Gumirato:
Hi Andrea Gumirato Thank you so much for your this diagram, I have tried to check for the option but only one smart host entry is possible. I would recommend you to contact technical support and open a service request to investigate the issue further.Let me tag LuCar Toni and lferrara if they have anything to share on your requirement.You may also check legacy mode configuration as well - https://docs.sophos.com/nsg/sophos-firewall/v16058/Help/en-us/webhelp/onlinehelp/index.html#page/onlinehelp/EmailRulesManage_2.html
Yes, if possible I'd try to bypass Sophos SMTP for outgoing, and it should be simple. Eventually, using a fake port, rather than 25, on LAN interface, and then translating traffic to real 25 once on public interface. Can it be possible?
Good day, I solved simply by creating a business rule for SMTP Outbound, from Lan zone, to Wan zone (to public smtp servers of interest only, i.e. smtp.gmail.com), with NAT towards outbound and primary gateway setted.
This firewall rule simply bypass MTA service listening on port 25 on internal LAN interfaces.
Hope this helps.
Hi Andrea Gumirato Thank you for sharing the resolution, it will help fellow community members.