Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 16 replies
  • Subscribers 39 subscribers
  • Views 5628 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Email protection with Exchange hybrid

Samuelson

Hi,

we migrated one month ago from Sophos UTM to Sophos XGS. We also migrated email protection settings succesfully. With one exception.

With the old UTM we routed emails from Exhange Online directly to our internal Exchange Server. Now with the XGS, this is not possible. We use the firewall as mail transfer agent, therefore we must configure Exchange Online servers as relay. But we don't want to. We want to route all emails from Exchange Online directly to our internal email server. I made and tried some NAT rules, no chance. Email protection seems to overrule all other rules.

Some hints or solutions? Thanks for your patience!



This thread was automatically locked due to age.
Parents
  • 0

    The email protection on SFOS works like the Email Protection on UTM - So not sure why it would stop working here? 

    But often times the "Scan SMTP firewall rule" causes this behavior. Check your firewall rules, there is a "ANY to ANY SMTP" Rule. You should adapt this and exclude your Exchange server. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Thanks for your quick reply. I am not sure if I understand. Outbound emails are working if we use our Exchange Server as e. g. relay for our internal scanner and servers. Problem are incoming emails from Exchange Online. They are not routed to our internal exchange server. Should we create an email rule that excludes incoming emails from Exchange Online for spam checks?

  • 0 in reply to Samuelson

    How did you configure that on UTM? This should be applicable on SFOS as well. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    There was no special configuration. All incoming emails regarding our domain should be forwarded to our internal Exchange Server.We made the same rule as in UTM.

    This works for external email perfectly. But not for emails from Exchange Online. Now we must use SFOS as relay for emails from Exchange Online. This works. But we need the internal routing cause of signature tools etc.

  • 0 in reply to Samuelson

    The message is with incoming emails from Exchange Online: "Relay not permitted". But that's the point, we don't want to relay, we want to route this emails to the internal exchange Server........

  • 0 in reply to Samuelson

    So you should configure the Email Domain inbound as well. Actually the SMTP Profiling / Relay is the same UTM vs SFOS. 

    Inbound Emails can be configured based on the Domain and then routed to the Exchange. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Thanks for your patience.

    That's what we did. We copied our configuration from UTM to SFOS. We created a policy for our domain with a rule for a static host (our internal exchange server). And this works for external emails from customers quite well but does not work for Exchange Online.

    There is one difference in SFOS. In UTM we configured in this rule not just the domain but the host. Now we only can configure "domain.com" but before we also had an entry for "mailhost.domain.com" for this static route!?

    The question is, why does SFOS route external emails to our internal mail server but not emails from our Exchange Online? It seems like this emails were not recognized as target for our domain!?

  • 0 in reply to Samuelson

    In Exchange Online we configured "mailhost.ourdomain.com" as smarthost. I think this is the problem. That we can't use the mailhost as target any more but only the domain......

  • 0 in reply to Samuelson

    Let me rephrase what both system do: 

    You have the relay approach, where you can give one host the permission to send whatever they want to whoever they want. For example, you can say the Exchange on prem can send from your domain to sophos.com. That is the relay section in UTM/SFOS. 

    You have the Profile approach. Where you can say "i am the owner of this domain". For example you can say: test.com is my domain, so whoever sends an SMTP 25 communication to this domain, SFOS/UTM will accept this and send it to the mailserver you configured.

    As you get "relay not permitted", SFOS considers the Email as a "Relay" email and not a profile email. 

    So to speak: 

    This is the same as: 

    And SFOS will accept the emails based on "protected domains" like it did on UTM as "Domains". 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Yes, OK, I see. That's how we use it. But what am I missing then? It worked for years on UTM, where is the problem then!?

  • 0 in reply to Samuelson

    Do you still have access to the UTM? Can you copy paste both settings? 

    __________________________________________________________________________________________________________________

Reply Children
  • 0 in reply to LuCar Toni

    I need to turn it on in the office next tuesday. Do I need valid licenses for this?

    I think the problem is, that the target of our emails from Exchange Online is not our domain but external domains. That's why SFOS refuses to route the emails. But I don't know how we solved that in UTM or if we did anything at all........Thanks!

  • 0 in reply to Samuelson

    Why does your Exchange online send such emails to your firewall? 
    That sounds like a faulty config in M365. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    No, this is an Exchange Hybrid configuration. Exchange Online holds the mailboxes and Exchange On Prem does work as mail hub, handles the traffic. This is a very common configuration.

    The question is, how can we bypass email protection for traffic from Exchange Online? And why did it work perfectly with UTM but not with SFOS!?

    Maybe I miss something, but when we migrated we checked both sides (UTM and SFOS) with a whole team. We recognized that it did not work with SFOS and turned relay for Exchange Online on. But now we do have some time to find out what the problem is and we want to get back our comfort with internal Exchange Server.................

  • +1 in reply to Samuelson

    Again: You did something different on UTM compared to SFOS. Because the way both system works is the same. 

    It might be something like you had a DNAT from M365 to the Exchange and bypass UTM mail protection. 

    Because both system works with Exim and the same approaches. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    This was the right hint. We made NAT and firewall rules, but it only works with DNAT. I was confused cause it's only available through an assisted menue......Thanks!!!!!

Unfiltered HTML