Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 16 replies
  • Subscribers 39 subscribers
  • Views 5627 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Email protection with Exchange hybrid

Samuelson

Hi,

we migrated one month ago from Sophos UTM to Sophos XGS. We also migrated email protection settings succesfully. With one exception.

With the old UTM we routed emails from Exhange Online directly to our internal Exchange Server. Now with the XGS, this is not possible. We use the firewall as mail transfer agent, therefore we must configure Exchange Online servers as relay. But we don't want to. We want to route all emails from Exchange Online directly to our internal email server. I made and tried some NAT rules, no chance. Email protection seems to overrule all other rules.

Some hints or solutions? Thanks for your patience!



This thread was automatically locked due to age.
  • 0

    The email protection on SFOS works like the Email Protection on UTM - So not sure why it would stop working here? 

    But often times the "Scan SMTP firewall rule" causes this behavior. Check your firewall rules, there is a "ANY to ANY SMTP" Rule. You should adapt this and exclude your Exchange server. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Thanks for your quick reply. I am not sure if I understand. Outbound emails are working if we use our Exchange Server as e. g. relay for our internal scanner and servers. Problem are incoming emails from Exchange Online. They are not routed to our internal exchange server. Should we create an email rule that excludes incoming emails from Exchange Online for spam checks?

  • 0 in reply to Samuelson

    How did you configure that on UTM? This should be applicable on SFOS as well. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    There was no special configuration. All incoming emails regarding our domain should be forwarded to our internal Exchange Server.We made the same rule as in UTM.

    This works for external email perfectly. But not for emails from Exchange Online. Now we must use SFOS as relay for emails from Exchange Online. This works. But we need the internal routing cause of signature tools etc.

  • 0 in reply to Samuelson

    The message is with incoming emails from Exchange Online: "Relay not permitted". But that's the point, we don't want to relay, we want to route this emails to the internal exchange Server........

  • 0 in reply to Samuelson

    So you should configure the Email Domain inbound as well. Actually the SMTP Profiling / Relay is the same UTM vs SFOS. 

    Inbound Emails can be configured based on the Domain and then routed to the Exchange. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Thanks for your patience.

    That's what we did. We copied our configuration from UTM to SFOS. We created a policy for our domain with a rule for a static host (our internal exchange server). And this works for external emails from customers quite well but does not work for Exchange Online.

    There is one difference in SFOS. In UTM we configured in this rule not just the domain but the host. Now we only can configure "domain.com" but before we also had an entry for "mailhost.domain.com" for this static route!?

    The question is, why does SFOS route external emails to our internal mail server but not emails from our Exchange Online? It seems like this emails were not recognized as target for our domain!?

  • 0 in reply to Samuelson

    In Exchange Online we configured "mailhost.ourdomain.com" as smarthost. I think this is the problem. That we can't use the mailhost as target any more but only the domain......

  • 0 in reply to Samuelson

    Let me rephrase what both system do: 

    You have the relay approach, where you can give one host the permission to send whatever they want to whoever they want. For example, you can say the Exchange on prem can send from your domain to sophos.com. That is the relay section in UTM/SFOS. 

    You have the Profile approach. Where you can say "i am the owner of this domain". For example you can say: test.com is my domain, so whoever sends an SMTP 25 communication to this domain, SFOS/UTM will accept this and send it to the mailserver you configured.

    As you get "relay not permitted", SFOS considers the Email as a "Relay" email and not a profile email. 

    So to speak: 

    This is the same as: 

    And SFOS will accept the emails based on "protected domains" like it did on UTM as "Domains". 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Yes, OK, I see. That's how we use it. But what am I missing then? It worked for years on UTM, where is the problem then!?

Unfiltered HTML