Central Email Configuration (Internal Email Server)

This recommended read goes over how to set up Sophos Central Email.

This configuration will cover examples of DNAT rules and usage of a 3rd Party DNS provider to go over the configuration examples of Domain Validation, MX records, and SPF Records.

In this recommended read we’ll go over:

Configuring Sophos Central Email Gateway flow

1. Validate your Domain

In Central Go to Configure >> Settings >> Domain Settings/Status >> Add Domain

Enter your domain and click Verify Domain Ownership, in the new window that pops up you’ll see a TXT Value, copy and enter this value in your Public DNS (Do not close the Verify Domain Ownership window).

Go to your Public DNS provider and enter the TXT Value

In NameCheap we go to Domain List >> (Select your domain and click) Manage >> Advanced DNS >> Host Records >> Add New Record

Type = TXT Record, Host @, Value = TXT Value shown in Sophos Central, TTL = Automatic

Wait for around 1-60 minutes, and go back to Sophos Central, Configure >> Settings >> Domain Settings >> and click Verify
You should get the following:

Note: If you get an error here, and you have confirmed you entered the correct TXT Value on your DNS and waited over 60 minutes, it’s possible that the Domain might have been used in a previous Central account, which will cause issues with the Verification in that case, open a case with Support and provide any details about using this domain in the past or having added it in a different Central Account.

2. Configure Domain Direction, Inbound Destination, and IP/FQDN.

In this Recommend Read we’ll configure Inbound and Outbound, using a Custom Gateway, (in a future RR we will use GSUITE and O365), our Email Server will be Exchange.

Inbound Destination = Mail Host
IP/FQDN = Public IP where Centra Email will be sending inbound emails to, most of the times, this will be the Public IP of your router, you can also enter an FQDN of your WAN interface. (The FQDN needs to be Public resolvable)
Port = Port used by your MTA server by default it is 25, your Firewall/Router needs to have this port open to accept connections.
Outbound Gateway = Custom Gateway
IP/CIDR = List the Public IPs that Central Email should expect to receive outbound emails coming from your MTA server; add here all the IPs that would be routing email to Central Email, if the IP is not listed, Central will reject the connection.

3. Add a Mailbox Manually for email flow testing

Go to Manage Protection >> Mailboxes >> Add >> Add Mailbox
Mailbox Type = User
Name = Name to identify the owner of the Mailbox
Email = Valid email address present in your Exchange Domain; in this case we’ll use “mailbox@”

After clicking Save the Mailbox should show under the Mailboxes Menu and the Username should show under the People Menu.

4. Confirm outbound traffic is working (Configuring Send Connector)

a) Confirm the test Mailbox exists in Exchange or create a Mailbox for it

Exchange Admin Center >> Recipients >> Mailboxes.

First, you need to know the Outbound Relay Host used by your Sophos Central Email, you can find it in:

Sophos Central Email Gateway >> Configure >> Settings >> Domains Settings / Status >> Configure External Dependencies >> Outbound Settings

Note: You MUST enter the one assigned to your region; otherwise email flow won’t work.

b) Create a test Send Connector to send email to Sophos Central Email in Exchange

Note: This will cause some downtime for outbound email

Exchange Admin Center >> Mail Flow >> Send Connectors >> +

Name = Sophos_Central

Type
= Internet

Network Settings
= Route Mail Trough Smart Hosts >> + >> Enter the Outbound Relay Host for SCE

Smart Host Authentication
= None

Address Space
= *

Source Server
= Your Exchange Server

Note: Make sure your Firewall  isn’t acting as an MTA

c) For an added layer of security, you can configure your Firewall to only allow port 25 and 587 for outgoing email communication to Sophos Central

In our example we’ll be using Sophos XG as the border router, the XG is configured in Legacy Mode and SMTP relay under System >> Administration >> Device Access >> Local Service ACL >> SMTP Relay for LAN and WAN is disabled (if your Exchange server is in a different Zone, make sure to disable also SMTP Relay in this Zone).

d) Send a Test email from the mailbox registered in Sophos Central

I will be using a testing Gmail address for this demonstration.

Check the mailbox we sent the email to.

To confirm the email was relayed from Central in Gmail click the … (3) dots within the message and Click Show Original.

You should be able to find the following line to confirm the email was sent through Central Email

Received: from mail.delivery-11-us-west-2.prod.hydra.sophos.com (mail.delivery-11-us-west-2.prod.hydra.sophos.com. [34.212.96.110])

Sophos Central Email should also show the email, you can check under Email Gateway >> Logs & Reports >> Email Security Logs



Note:
If you send email from a Mailbox not added in Sophos Central, you will receive a “Mail Delivery System bounce message” in the sender mailbox. This is because Central only relays/accepts outbound emails from Mailboxes added in Sophos Central.

5. Change your MX records to point to Sophos Central Email Gateway

Note: This will cause downtime during the testing. To minimize downtime, you can import or sync all of the mailboxes that need email flow before changing your MX records.

a) Localize the MX records for your Sophos Central Email Gateway region

Email Gateway >> Configure >> Settings >> Domain Settings / Status >> Configure External Dependencies >> Inbound Settings


You MUST confirm and use the Email Gateway MX records for your region, if you use MX records for a different region your email traffic won’t work.

b) Go to your DNS provider to change your MX records to point to Sophos Central.

Note: Only keep Sophos Central MX Records; if you keep additional MX records, some email might not flow through your Central Email Gateway, exposing you to threats, spam, etc.

You can confirm if your MX records have been updated by entering your domain on the following website https://mxtoolbox.com/; if your MX records have propagated, you should see the following:

You can get this information using a Command Prompt

6. Test Email flow

To test Inbound Email Flow, we used the Test Gmail account address we used previously.

Once sent, in Central Email you should see an entry for this email under:

Email Gateway >> Logs & Reports >> Message History

Note: Central might have a slight delay showing the email in the GUI even after it has been delivered; this is normal.

Open Outlook and you should see the email in the mailbox
(The banner you’re seeing is related to the feature called Impersonation Protection, you can find more information about it in the following link).

To double confirm the email went through Sophos Central you can open the email in Outlook by clicking in Show Message Details, you should see the following entry:

Received: from ip-172-17-100-231.us-west-2.compute.internal (ip-172-17-100-231.us-west-2.compute.internal [127.0.0.1]) by outbound-50-112-39-248-us-west-2.prod.hydra.sophos.com (Postfix) with ESMTP id 4DrW9X2M5kzvPrl

If you don’t see this in the email or Central hasn’t show the email, the email didn’t pass through Central, it can be for many reasons, your MX records have not propagated, the sender has a stale entry for your MX records, you have additional MX records.

7. Restrict delivery of email to Sophos IP addresses

Now that email flow is working, you can add one more layer of security to your email flow, by restricting the delivery IPs to only Sophos Central, at your Firewall and or Exchange level.

To know what IPs central will be using to deliver email go to

Email Gateway >> Configure >> Settings >> Domain Settings/ Status >> Inbound Settings


If we check the details of the received email, we can see one of the IPs being used to send the email to our organization.

Received: from outbound-50-112-39-248-us-west-2.prod.hydra.sophos.com ([50.112.39.248]:30802)

To restrict access to these IPs you do it on Exchange directly by going to:

Exchange Admin Center >> Mail Flow >> Receive Connectors >> Client FrontEnd YourMailServerName >> On the Security Lab you can leave all the defaults selected

Scoping >> Remote Network Settings >> + >> You would need to add your assigned Sophos Central IPs, and depending on your Firewall configuration, the Firewall Internal IP, this in case your DNAT rule is Masquerading the Sender IP.


Note: If your Mail flow is more complex, please modify with caution.

To add an extra layer of protection, you can also restrict on your Firewall/Router only Sophos Central IPs connection to Port 25 (by default) or any custom port you might use, this should block any direct Telnet attempt on Port 25 to your Firewall from any IPs other than Central.

At this point, you should have inbound and outbound email flow working.

Note: Only the mailboxes added in Sophos Central, are the only ones allowed to Send and Receive email; remember to add all the mailboxes that will be receiving and sending email, and their Aliases; failing to do this will cause emails not to be delivered.

8. Update your SPF record for your domain

Now that Central Email will be delivering your email, you need to update your SPF record to show this change in your email flow.

The SPF record used by Central is v=spf1 include:_spf.prod.hydra.sophos.com

We need to add this to your DNS provider as a TXT record; here is an example of how the SPF record should look like:

Type = TXT Record
Host = @
Value = v=spf1 include:_spf.prod.hydra.sophos.com -all

Note: This SPF record only marks Central Email as the allowed sender for your domain; if you have additional ways of sending email outbound from your domain, you would need to add it in your SPF record, for example, another Public IP that doesn’t route email via Central Email.


v=spf1 ip4:216.99.43.102 include:_spf.prod.hydra.sophos.com -all

9. Update DKIM record for your domain

DKIM allows you to sign and authenticate your outbound emails. 
The DKIM has to be added in the last relay right before the email goes out.

To add a DKIM Key go to Email Gateway >> Settings >> Domain Settings/Status >> select the domain you want to add a DKIM for >> DKIM Keys >> Add Key 

After clicking Add, wait for a moment, and the DKIM will be updated

Go to your DNS provider, in this case, NameCheap and add as a TXT record:

Type = TXT Record
Host = sophosee16d5355e9e475eaa6087a7dc690c24._domainkey
Value = v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAo8Ohk391xrVFhr70wifftbVLd7IsfJtzOs9Rc0It3gggshJKR/JzvRg1oQAZhHYPVATeTNDoVR7WN8m8cLRbPpWBlSTxRdTISRbaL663PpQBA5pjnkl0EfCcEtGtrL9IgwyjkdUxL6gbcddEzcSvi+t+kijZy2xR0j9NiCrYPsukGvIsZ3dpmuAcpsaGaBqnPEkUc/3dWXfucSA3+MO7qctz7p0PwT0OMz1bCTS1TGEbiV7Uy1liBXvG9WE41Exl5aECM2zvsmp+iEGyXrDkIVM/2xm80Z+hWKI3W/0RUVw9nNVx250riQbqHZCj/zU8y0iGuSW5XLAmgZz4edR+twIDAQAB
TTL = 5 min

Note:  Notice the Value, is a single line and it contains a space after the ";".

Wait between 5 minutes to 1hr for the DNS records to replicate and click: Test Record

After the test passes select: "Activate this Key" so your outbound email starts being signed.

RELATED INFORMATION

Email Gateway




Edited Table of content
[edited by: emmosophos at 7:16 PM (GMT -7) on 30 Jul 2021]