This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Relay Email Traffic from Sophos XG to Exchange Online

Good evening everyone,

I am wondering if something like this is possible with the Sophos XG Firewall.

We are hoping to have a scenario like the following.

MX Record is pointing to IP of Sophos > Sophos XG performs email scanning and protection > email then is forwarded or relayed to Exchange Online.

Biggest reason for wanting to do so is that the current Exchange Online license E3 only provides basic email protection and we already pay for Sophos XG which has better protection regarding spam and a number of other nice features. I understand that we could by pass Sophos XG and go directly to EO but the costs for the advanced email protection are not warranted.

Is the above possible or am I SOL and should go the better Office 365 license route?



This thread was automatically locked due to age.
Parents
  • Hello Brad,

    Thank you for contacting the Sophos Community.

    Yes, this is possible to achieve, however, your XG is prompt to be an open relay, so this configuration is not recommended.

    You need to do two things:

    1. Is to create in the XG an IP Host for each one of the subnets mentioned in this article, once you have created the IP Hosts, just add them under the Host-Based Relay.

    2.Under SMTP Route & Scan, select Rout By = Static Host, and Create and select the IP addresses used by your Office 365 MX records. (This can also be found by issuing the command nslookup -q=MX <domain> in the command prompt of a workstation.)

    Then configure your Exchange rule online accordingly to Route Email through these smart hosts and enter your Sophos XG Public IP.

    This configuration might cause an open relay security issue, I would recommend you to reach out to your Sales Engineer, if you still decide to go with this configuration.

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • I don't want to send emails from Exchange Online through the Sophos Firewall.

    I've described what I wanted in the post. Emails come in to public IP of Sophos Firewall > they get scanned processed by the Firewall > then forwarded to Exchange Online. What you are describing I don't think is what I need.

Reply
  • I don't want to send emails from Exchange Online through the Sophos Firewall.

    I've described what I wanted in the post. Emails come in to public IP of Sophos Firewall > they get scanned processed by the Firewall > then forwarded to Exchange Online. What you are describing I don't think is what I need.

Children
  • Hello Brad,

    Thank you for the feedback.

    Sorry it looks like my answer got mixed while I was editing it.

    For the XG to relay inbound email to your O365, you just need to change the MX record to point to the FQDN of your Sophos XG Firewall and in the XG for the SMTP policy, create a Host IP with the Public IP, of your O365 MX record (you can get this by entering your domain in MX toolbox, after you get the IP, update your MX record to point to the FQDN of the XG).

    That 104.47.60.36 is the one you would enter in the Domains and routing target. 

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Thank you, I will have to test this out on some downtime to see. From what it looks like this is not really supported fully and could create security risks so it may be best to not do it.