This recommended read goes over how to set up Sophos Central Email.
This configuration will cover examples of DNAT rules and usage of a 3rd Party DNS provider to go over the configuration examples of Domain Validation, MX records, and SPF Records.
In this recommended read we’ll go over:
In Central Go to Configure >> Settings >> Domain Settings/Status >> Add Domain
Enter your domain and click Verify Domain Ownership, in the new window that pops up you’ll see a TXT Value, copy and enter this value in your Public DNS (Do not close the Verify Domain Ownership window).
Go to your Public DNS provider and enter the TXT Value
In NameCheap we go to Domain List >> (Select your domain and click) Manage >> Advanced DNS >> Host Records >> Add New Record
Type = TXT Record, Host @, Value = TXT Value shown in Sophos Central, TTL = Automatic
Wait for around 1-60 minutes, and go back to Sophos Central, Configure >> Settings >> Domain Settings >> and click VerifyYou should get the following:
Note: If you get an error here, and you have confirmed you entered the correct TXT Value on your DNS and waited over 60 minutes, it’s possible that the Domain might have been used in a previous Central account, which will cause issues with the Verification in that case, open a case with Support and provide any details about using this domain in the past or having added it in a different Central Account.
In this Recommend Read we’ll configure Inbound and Outbound, using a Custom Gateway, (in a future RR we will use GSUITE and O365), our Email Server will be Exchange.
Inbound Destination = Mail Host IP/FQDN = Public IP where Centra Email will be sending inbound emails to, most of the times, this will be the Public IP of your router, you can also enter an FQDN of your WAN interface. (The FQDN needs to be Public resolvable)Port = Port used by your MTA server by default it is 25, your Firewall/Router needs to have this port open to accept connections. Outbound Gateway = Custom Gateway IP/CIDR = List the Public IPs that Central Email should expect to receive outbound emails coming from your MTA server; add here all the IPs that would be routing email to Central Email, if the IP is not listed, Central will reject the connection.
Go to Manage Protection >> Mailboxes >> Add >> Add Mailbox Mailbox Type = UserName = Name to identify the owner of the MailboxEmail = Valid email address present in your Exchange Domain; in this case we’ll use “mailbox@”
After clicking Save the Mailbox should show under the Mailboxes Menu and the Username should show under the People Menu.
a) Confirm the test Mailbox exists in Exchange or create a Mailbox for it
Exchange Admin Center >> Recipients >> Mailboxes.
First, you need to know the Outbound Relay Host used by your Sophos Central Email, you can find it in:Sophos Central Email Gateway >> Configure >> Settings >> Domains Settings / Status >> Configure External Dependencies >> Outbound Settings
Note: You MUST enter the one assigned to your region; otherwise email flow won’t work.
b) Create a test Send Connector to send email to Sophos Central Email in Exchange
Note: This will cause some downtime for outbound emailExchange Admin Center >> Mail Flow >> Send Connectors >> + Name = Sophos_CentralType = Internet Network Settings = Route Mail Trough Smart Hosts >> + >> Enter the Outbound Relay Host for SCESmart Host Authentication = NoneAddress Space = *Source Server = Your Exchange Server
Note: Make sure your Firewall isn’t acting as an MTA
c) For an added layer of security, you can configure your Firewall to only allow port 25 and 587 for outgoing email communication to Sophos CentralIn our example we’ll be using Sophos XG as the border router, the XG is configured in Legacy Mode and SMTP relay under System >> Administration >> Device Access >> Local Service ACL >> SMTP Relay for LAN and WAN is disabled (if your Exchange server is in a different Zone, make sure to disable also SMTP Relay in this Zone).
d) Send a Test email from the mailbox registered in Sophos Central
I will be using a testing Gmail address for this demonstration.
Check the mailbox we sent the email to.
To confirm the email was relayed from Central in Gmail click the … (3) dots within the message and Click Show Original.You should be able to find the following line to confirm the email was sent through Central EmailReceived: from mail.delivery-11-us-west-2.prod.hydra.sophos.com (mail.delivery-11-us-west-2.prod.hydra.sophos.com. [126.96.36.199])Sophos Central Email should also show the email, you can check under Email Gateway >> Logs & Reports >> Email Security Logs
Note: If you send email from a Mailbox not added in Sophos Central, you will receive a “Mail Delivery System bounce message” in the sender mailbox. This is because Central only relays/accepts outbound emails from Mailboxes added in Sophos Central.
a) Localize the MX records for your Sophos Central Email Gateway regionEmail Gateway >> Configure >> Settings >> Domain Settings / Status >> Configure External Dependencies >> Inbound Settings You MUST confirm and use the Email Gateway MX records for your region, if you use MX records for a different region your email traffic won’t work.
b) Go to your DNS provider to change your MX records to point to Sophos Central.
Note: Only keep Sophos Central MX Records; if you keep additional MX records, some email might not flow through your Central Email Gateway, exposing you to threats, spam, etc.
You can confirm if your MX records have been updated by entering your domain on the following website https://mxtoolbox.com/; if your MX records have propagated, you should see the following:
You can get this information using a Command Prompt
To test Inbound Email Flow, we used the Test Gmail account address we used previously.
Once sent, in Central Email you should see an entry for this email under:
Email Gateway >> Logs & Reports >> Message History
Note: Central might have a slight delay showing the email in the GUI even after it has been delivered; this is normal.
Open Outlook and you should see the email in the mailbox(The banner you’re seeing is related to the feature called Impersonation Protection, you can find more information about it in the following link).
To double confirm the email went through Sophos Central you can open the email in Outlook by clicking in Show Message Details, you should see the following entry:Received: from ip-172-17-100-231.us-west-2.compute.internal (ip-172-17-100-231.us-west-2.compute.internal [127.0.0.1]) by outbound-50-112-39-248-us-west-2.prod.hydra.sophos.com (Postfix) with ESMTP id 4DrW9X2M5kzvPrlIf you don’t see this in the email or Central hasn’t show the email, the email didn’t pass through Central, it can be for many reasons, your MX records have not propagated, the sender has a stale entry for your MX records, you have additional MX records.
Now that email flow is working, you can add one more layer of security to your email flow, by restricting the delivery IPs to only Sophos Central, at your Firewall and or Exchange level.To know what IPs central will be using to deliver email go toEmail Gateway >> Configure >> Settings >> Domain Settings/ Status >> Inbound Settings If we check the details of the received email, we can see one of the IPs being used to send the email to our organization. Received: from outbound-50-112-39-248-us-west-2.prod.hydra.sophos.com ([188.8.131.52]:30802)To restrict access to these IPs you do it on Exchange directly by going to:Exchange Admin Center >> Mail Flow >> Receive Connectors >> Client FrontEnd YourMailServerName >> On the Security Lab you can leave all the defaults selected
Scoping >> Remote Network Settings >> + >> You would need to add your assigned Sophos Central IPs, and depending on your Firewall configuration, the Firewall Internal IP, this in case your DNAT rule is Masquerading the Sender IP.Note: If your Mail flow is more complex, please modify with caution.
To add an extra layer of protection, you can also restrict on your Firewall/Router only Sophos Central IPs connection to Port 25 (by default) or any custom port you might use, this should block any direct Telnet attempt on Port 25 to your Firewall from any IPs other than Central.
At this point, you should have inbound and outbound email flow working.
Note: Only the mailboxes added in Sophos Central, are the only ones allowed to Send and Receive email; remember to add all the mailboxes that will be receiving and sending email, and their Aliases; failing to do this will cause emails not to be delivered.
Now that Central Email will be delivering your email, you need to update your SPF record to show this change in your email flow. The SPF record used by Central is v=spf1 include:_spf.prod.hydra.sophos.comWe need to add this to your DNS provider as a TXT record; here is an example of how the SPF record should look like:Type = TXT RecordHost = @Value = v=spf1 include:_spf.prod.hydra.sophos.com -allNote: This SPF record only marks Central Email as the allowed sender for your domain; if you have additional ways of sending email outbound from your domain, you would need to add it in your SPF record, for example, another Public IP that doesn’t route email via Central Email.
v=spf1 ip4:184.108.40.206 include:_spf.prod.hydra.sophos.com -all
DKIM allows you to sign and authenticate your outbound emails. The DKIM has to be added in the last relay right before the email goes out.
To add a DKIM Key go to Email Gateway >> Settings >> Domain Settings/Status >> select the domain you want to add a DKIM for >> DKIM Keys >> Add Key
After clicking Add, wait for a moment, and the DKIM will be updated
Go to your DNS provider, in this case, NameCheap and add as a TXT record:
Type = TXT RecordHost = sophosee16d5355e9e475eaa6087a7dc690c24._domainkeyValue = v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAo8Ohk391xrVFhr70wifftbVLd7IsfJtzOs9Rc0It3gggshJKR/JzvRg1oQAZhHYPVATeTNDoVR7WN8m8cLRbPpWBlSTxRdTISRbaL663PpQBA5pjnkl0EfCcEtGtrL9IgwyjkdUxL6gbcddEzcSvi+t+kijZy2xR0j9NiCrYPsukGvIsZ3dpmuAcpsaGaBqnPEkUc/3dWXfucSA3+MO7qctz7p0PwT0OMz1bCTS1TGEbiV7Uy1liBXvG9WE41Exl5aECM2zvsmp+iEGyXrDkIVM/2xm80Z+hWKI3W/0RUVw9nNVx250riQbqHZCj/zU8y0iGuSW5XLAmgZz4edR+twIDAQABTTL = 5 min
Note: Notice the Value, is a single line and it contains a space after the ";".
Wait between 5 minutes to 1hr for the DNS records to replicate and click: Test Record
After the test passes select: "Activate this Key" so your outbound email starts being signed.