External Mail Server secured over XG Firewall


There is a document (Pocket Guide) "Protect Cloud-hosted Email Server (MTA Mode)" Sophos Document, which I studied but I have a few understanding problems. I think it isn’t only the difference between V17 and V18 of SFOS from the XG Firewall.

I have a collection of different domains from the past. These are personal and business ones. To collect them on one place I made “privat.local” mail server, which is also my domain within the LAN area.

My mails from the provider 1 are only on the servers of this provider with a lot of SPAM.

I want to transfer all incoming mails over my firewall before they arrive the mail server of provider 1.

Short network plan:

Net Base Mail Situation.pdf

The first step is already done, with the change of the MX Record. I have to records with different priorities. The highest is the WAN address on my firewall.

In the pocket guide as shown above are 6 steps to do this for cloud-hosted Email servers. I think this is the same for a normal email provider.

Step1:   Switch to MTA Mode -> Is standard on my FW

Auto added firewall for SMTP/SMTPS is active

Step2:   Enable SMTP Relay from WAN -> was ON and no mails gone through to my mail provider, switched it back.

Step3:   Configure SMTP TLS Certificate -> seems to have a understanding problem
I download the PEM and KEY Data from my provider for the mail.privat.com. It’s with “Lets Encrypt” as authority signed. By this certificate I have a red x by the Authority. I would interpret that the Certificate authority is missing.

I found one with the filter “let” but it’s called different.

I have on my provider side 3 typs of certificate. The CRT (PEM), the KEY and CABUNDLE.


Step4:   Configure Global Email Settings -> I have here just added my SMTP hostname the rest is standard Sophos.

SMTP TLS configuration should be clear. I used my own provider hostname certificate.

Step5:   Scan and Filter Inbound Emails -> By the SMTP Policy I used my personal domain (private.com) located by my provider. I have also a business domain (business.com).

By the General settings of the email is only 1 SMTP Hostname possible. I have at least 2. Is it possible to add the second and more to the protected domain list, if I route with MX RECORD?

The Spam and Malware protection not relevant at the moment.

Step6:   Scan and Filter Outbound Emails -> This point I don’t understand. I have already an external mail server and the connection to this server with outlook works already without setting of these parameters. It could also be that this is just for an cloud-based mail server, or is there a misunderstanding from my side?