Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Sophos Firewall and Office365 via MTA - was Hybrid, now Online only

Hello all,

we are using our Sophos XGS-Firewall as a SMTP proxy with MTA. We have an Exchange Hybrid environment. The mail flow right now is as following:

OUTBOUND: Exchange Online -> The internet

INBOUND: The Internet -> XGS -> Exchange OnPrem -> Exchange Online (via connector)

As you can see we increase the security (with the firewall) of our mail flow when we receive mails. We don't need extra outbound security.

We now plan to shut down the last Exchange server (all mailboxes will be in O365). Therefore we need to reconfigure the MTA settings on the Sophos Firewall. For this we found this article. BUT here I have a couple of questions:

  1. The article says to add the O365-IPs to Host-based relay. This is something we wouldn't need to do as we do not need to reconfigure the outbound mail flow. Am I correct?
  2. In the SMTP route and scan policy the article wants us to select "Route by" and than add the MX record via DNS name. Which MX record? The one we currently use? But this is already pointing to the IP of the firewall. How do I know what to put in here? Can I deduce that record from other domains on Office365? Is it always "<domain-tld>.mail.protection.outlook.com"?
  3. As the last step the article describes how to add a new connector to to Office 365. But this connector is "from Office to partner organization". That is outbound - but I need it the other way around. Why isn't this described in the article? Do I miss something?

Here our current SMTP policy settings.

Does anybody else have some experience with decommisioning the last Exchange on-premises server and completely switching to O365? And how to set up the Sophos firewall in that case?

OR: is it better to simply disable the SMTP proxy in the firewall (and save on license costs) and directly route to O365?

Thanks for any tips and hints!

  Markus



Edited TAGs
[edited by: Erick Jan at 2:44 PM (GMT -7) on 25 Sep 2024]
Parents Reply Children
No Data