Hi All,I have always been skeptical about the setting of outbound MTA mode.https://docs.sophos.com/nsg/sophos-firewall/19.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Email/HowToArticles/EmailSPXFinancialData/index.html#add-an-smtp-route-and-scan-policy
In the encrypt outbound setting,the configuration manual instructs us to point the routing to the internal mail server.
But the outbound mails were received from internal mail server,The configuration manual instructs us to route outbound mails back to internal mail server?Wouldn't this cause an infinite loop?
I think the routing method should be modified as MX record for outbound domain.
Hi Shunze Lee Thank you for reaching out to the Sophos community team. The settings which you have pointed out with the "Route by" option are for inbound emails.https://docs.sophos.com/nsg/sophos-firewall/19.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Email/HowToArticles/EmailConfigureEmailProtectionMTA/index.html#allow-and-protect-inbound-emailsFor Outbound emails, you are going to configure the SMTP relay on the respective zone under Administration > Device Access by defining "Relay settings" and by selecting the mail servers in the Allow relay from hosts/networks option.https://docs.sophos.com/nsg/sophos-firewall/19.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Email/HowToArticles/EmailConfigureEmailProtectionMTA/index.html#allow-outbound-emailshttps://support.sophos.com/support/s/article/KB-000038662?language=en_US#Example-2:-How-to-configure-very-basic-MTA-mode-to-also-forward-outbound-emails
Regards,Vishal RanpariyaTechnical Account Manager | Sophos Technical SupportSophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts | If a post solves your question use the 'This helped me' link.
But the "Route by" statement was showed in outbound email settings.
Is this correct?
And the outbound "Data protection" option only can be used after create "smtp route & scan".
If created "smtp route & scan", the "route by" option must be choosed.
Which one should we choose after enable "smtp route & scan" for outbound ecnrypt?
Hi Shunze Lee For Outbound, once you enable the below settings under the "General Settings" tab it will add a pre-define global profile [PROFILE 0 "global"] in the policy.conf file of SMTP which is not available to edit/add/modify via GUI. (Maybe) due to that Data protection is given inside the "SMTP policy" to manage (on/off) though the option is only applicable to outbound emails.
I don't think so.In the outbound email encrypt settings we help customers build, we need to enable "smtp route & scan", and then check the encryption method we want to use.In this case, "route by MX" must be selected.
Then the encrypted mail can be sent to other domain mail server in the world.
And my real question as below.The inbound setting need to set the "route by" to internal mail server host;and the outbound encrypt setting need to set the "route by" to MX to route mail to intenet mail server.
But one domain one policy in "smtp route & scan" setting.Can inbound and outbound be used for the same domain at the same time?
Or I can ask you, does the protected domain in "smtp route & scan" policy refer to the source or the destination domain in the mail flow?
I think the protected domain in "smtp route & scan" setting should be refered to the destination domain.In this way, when the policy detects that the destination domain of the incoming mail matches, it can be routed to the internal mail server by the "route by" setting.
But when setting with outbound mail encryption, all we can to do is create a "smtp route & scan" policy and enable email encrypt in this policy.Then put the protected domain refer to the source domain for encryption.But in this way, the definition of the protected domain conflicts with the Inbound just now!
I opened a case (ID: 06166848), support team give me a clear explanation finally.Regarding your query, the protected domain should always be your internal domain or the domain you want to protect. The behavior is that the firewall applies this SMTP route and scan policy both inbound and outbound. If the recipient is matched from the configured "protected domain" then it is considered an inbound mail, and inbound scanning/policy will perform. If the sender is matched from configured "protected domain" then it is considered an outbound mail then outbound scanning/policy/encryption will perform.And if both sender and recipient match, then recipient takes precedence, and inbound process/scanning will take place. The route by settings should always be pointing in your internal mail servers. This doesn't mean that all emails traverse/flows (either inbound or outbound) through the firewall will forward mails to the configured MX/ internal mail server/domain. Selecting MX, means that the firewall will perform an MX lookup on the recipient domain. Doing this, the firewall will now identify the mail if its an inbound or outbound mail, And inbound or outbound policy and scanning for the mail will now takes place. So if mails were inbound, since you are the recipient, firewall will perform MX look up and confirm the email route from the your domain/internal domain, and now will perform now inbound scanning/policy. Right after this, it will be send to your internal mail servers/domain.So if mails were outbound,, firewall will again perform MX lookup and confirm the email route to the recipient's/external domain, and now it will perform outbound scanning/policy/encryption. Then it will send the mail externally/ outside the network.
Judging from support team's statement, when both the sender and the recipient are protected domains,they will be handled in the inbound way,and cannot be done in the outbound way.I suggest that Sophos handle inbound and outbound with different policies,which will increase the stability of the settings and will not cause trouble for the administrator.