Sophos Firewall: How to setup MTA mode when you have multiple WAN ports or alias IP addresses

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.


When using MTA mode for email delivery, if you have multiple WAN interfaces or public IP addresses, creating an outbound rule to forward mail via one interface or IP address is necessary.

Depending on your WAN and alias IP configuration, you must do the following:

  • If you have a single WAN interface with multiple alias IP addresses. Configure a NAT rule for SMTP with the specific public IP traffic from which traffic will be sent.
  • If you have multiple WAN interfaces and no alias IP addresses. Configure an SD-WAN rule for SMTP and the Destination ANY.
  • If you have multiple WAN addresses and multiple alias IP addresses. Configure both the NAT and the SD-WAN rules.
  • Change the route precedence for all scenarios to Static, VPN, and SD-WAN.

To configure these options, do as follows:

Create a NAT Rule for SMTP with the specific IP traffic will be sent from

  1. Go to Rules and policies > NAT rules. Select IPv4or IPv6 and then select Add NAT rule.
  2. The rule is turned on by default.
  3. Enter the rule details.

Name

Description

Rule name

Enter a name.

Rule group

Select a rule group or create one. The firewall rule will belong to this group.

If you select Automatic, the firewall rule is added to an existing group based on the first match with rule type and source-destination zones.

  1. Specify the translation settings for source, destination, services, and interfaces to match traffic.

Name

Description

Original source

Specify ANY.

Translated source (SNAT)

Specify MASQ.

Original destination

Specify ANY.

Translated destination (DNAT)

Select Original.

Original service

Select SMTP.

Translated service (PAT)

Select Original.

Inbound interface

Select Any.

Outbound interface

Select the WAN interface or alias IP address from which traffic specified in this rule exits Sophos Firewall.

  1. Optional Select Create loopback rule to allow internal hosts to access other internal hosts, for example, servers.
  2. Optional Select Create a reflexive rule to create a mirror rule that reverses the matching criteria of the rule from which it’s created.

Note: You can create loopback and reflexive rules for destination NAT rules. They’re created using the original NAT rule ID and name. Changing the original NAT rule settings later doesn’t change loopback and reflexive rule settings.

  1. Click Save.

The following screenshot shows an example of the NAT rule.

 

Create an SD-WAN Rule with Destination ANY and Service SMTP 

    1. Go to Routing > SD-WAN policy routing.  Scroll down to IPv4 or IPv6 SD-WAN policy route and select Add.
    2. Enter a name.
    3. Select the traffic selector settings.

Name

Description

Incoming interface

Select ANY.

Deleting the interface also deletes the policy route.

DSCP marking

Select the level of DSCP marking to match incoming packets for priority. For details, see DSCP Value.

Expedited forwarding (EF): Priority queuing that ensures low delay and packet loss. Suitable for real-time services.

Assured forwarding (AF): Assured delivery, but with packet drop if congestion occurs. Assign packets a higher priority than best-effort.

Class selector (CS): Backward compatibility with network devices that use IP precedence in the type of service.

Source networks

Select ANY.

Destination networks

Select "Internet IPv4 group"

Services

Select SMTP.

Application object

Leave blank.

Users or groups

Select ANY.

  1. Specify the routing settings.

Name

Description

Primary gateway

Select the primary gateway to route traffic.

If you delete the selected gateway, Sophos Firewall will delete the policy route and implement the WAN link load balance to route traffic.

Sophos Firewall routes traffic through the backup gateway if the primary gateway goes down. When the primary gateway comes back up, Sophos Firewall routes traffic through it.

Backup gateway

If you've configured more than one gateway, select the backup gateway.

If you delete the selected gateway, Sophos Firewall sets the backup gateway to None.

Override gateway monitoring decision.

Select if you want to route traffic through the selected gateway, even if the gateway is down.

  1. Click Save.

The following screenshot shows an example SD-WAN policy route.

 

 

  1. Sign in to the Sophos Firewall command line console as admin.
  2. Select option 4. Device Console.
  3. Type the following command:
  • set routing sd-wan-policy-route system-generate-traffic enable

Change the Route Precedence to Static - VPN - SD-WAN

  1. Sign in to the Sophos Firewall command line console as admin.
  2. Select option 4. Device Console.
  3. Type the following command and press enter: system route_precedence set static vpn sdwan_policyroute
  4. Confirm the change using the following command: system route_precedence show



Grammar,
[edited by: emmosophos at 1:02 AM (GMT -8) on 15 Nov 2023]
Parents
  • in the case that i have two email servers in my lan. servmail1 with ip 10.53.21.1 and servmail2 with ip 10.53.21.2.

    i have one wan interface with multiple aliases ip adresses.

    I receive emails from public ip 88.23.24.163 to servmail1

    i receive emails from public ip 88.23.24.164 to servmail2

    i have sophos xg 18 in mta mode

    i have two policys to scan an route emails to each email server, and it works.

    both servers are allowed for relay in sophos xg MTA.

    servmail1 and servmail2 send emails to sophos xg as smarthost. so sophos xg deliver these emails to internet.

    how to define that emails that comes from servmail1 to internet (via sophos mta relay ) are sended by ip 88.23.24.163, and emails from servmail2 are sended by 88.23.24.164?

  • Hello Jose,

    do you get an idea how to solve the problem?

    Best regards

Reply Children
No Data