Hi All,I have always been skeptical about the setting of outbound MTA mode.https://docs.sophos.com/nsg/sophos-firewall/19.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Email/HowToArticles/EmailSPXFinancialData/index.html#add-an-smtp-route-and-scan-policy
In the encrypt outbound setting,the configuration manual instructs us to point the routing to the internal mail server.
But the outbound mails were received from internal mail server,The configuration manual instructs us to route outbound mails back to internal mail server?Wouldn't this cause an infinite loop?
I think the routing method should be modified as MX record for outbound domain.
Hi Shunze Lee Thank you for reaching out to the Sophos community team. The settings which you have pointed out with the "Route by" option are for inbound emails.https://docs.sophos.com/nsg/sophos-firewall/19.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Email/HowToArticles/EmailConfigureEmailProtectionMTA/index.html#allow-and-protect-inbound-emailsFor Outbound emails, you are going to configure the SMTP relay on the respective zone under Administration > Device Access by defining "Relay settings" and by selecting the mail servers in the Allow relay from hosts/networks option.https://docs.sophos.com/nsg/sophos-firewall/19.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Email/HowToArticles/EmailConfigureEmailProtectionMTA/index.html#allow-outbound-emailshttps://support.sophos.com/support/s/article/KB-000038662?language=en_US#Example-2:-How-to-configure-very-basic-MTA-mode-to-also-forward-outbound-emails
Regards,Vishal RanpariyaTechnical Account Manager | Sophos Technical SupportSophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts | If a post solves your question use the 'This helped me' link.
And the outbound "Data protection" option only can be used after create "smtp route & scan".
If created "smtp route & scan", the "route by" option must be choosed.
Which one should we choose after enable "smtp route & scan" for outbound ecnrypt?
Hi Shunze Lee For Outbound, once you enable the below settings under the "General Settings" tab it will add a pre-define global profile [PROFILE 0 "global"] in the policy.conf file of SMTP which is not available to edit/add/modify via GUI. (Maybe) due to that Data protection is given inside the "SMTP policy" to manage (on/off) though the option is only applicable to outbound emails.
I don't think so.In the outbound email encrypt settings we help customers build, we need to enable "smtp route & scan", and then check the encryption method we want to use.In this case, "route by MX" must be selected.
Then the encrypted mail can be sent to other domain mail server in the world.
And my real question as below.The inbound setting need to set the "route by" to internal mail server host;and the outbound encrypt setting need to set the "route by" to MX to route mail to intenet mail server.
But one domain one policy in "smtp route & scan" setting.Can inbound and outbound be used for the same domain at the same time?
Or I can ask you, does the protected domain in "smtp route & scan" policy refer to the source or the destination domain in the mail flow?
I think the protected domain in "smtp route & scan" setting should be refered to the destination domain.In this way, when the policy detects that the destination domain of the incoming mail matches, it can be routed to the internal mail server by the "route by" setting.
But when setting with outbound mail encryption, all we can to do is create a "smtp route & scan" policy and enable email encrypt in this policy.Then put the protected domain refer to the source domain for encryption.But in this way, the definition of the protected domain conflicts with the Inbound just now!