Reflexion will be End-of-life on March 31,2023. See Sophos Reflexion EoL FAQs to learn more.
Since I am running v18 I thought I would ask this MTA/Email scanning question here as the documentation still seems to be catching up.
I have been experimenting with using MTA mode by explicitly pointing any internal mail servers to it. Very much a traditional approach, and works well
However what I did pick up in my testing is when I enable MTA mode and the auto Firewall rule is created it has the SCAN SMTP and SMTPs boxes checked. This has the effect that the XG firewall hijacks (transparently) any SMTP connection and then directly sends outbound (bypassing internal server). Assume this is by design, but my preference is for all SMTP outbound traffic to go through an Internal SMTP server first (authenticated), then pass (relay) to the XG. Which I then assume does any Malware and Spam scanning
My understanding from reading through community and official docs is these check boxes are only used for transparent email scanning and not MTA mode. Is this some sort of hybrid mode, or is it to ensure any connection that initiates on the mail ports (25) is captured by XG. Obviously, this is not for authenticated users and it doesn’t transparently pass email to the internal SMTP server, it directly sends out.
Are these check boxes necessary, is it for transparent proxy? I just find the auto firewall rule weird and isn’t even required for MTA mode. Unless I’m missing an obvious application or setup best practice.
This isn’t an issues, just that I found a lot of it non trivial and the documentation lacking detail. My setup might be unique, but I suspect this hijacking on port 25 (by selecting the scan SMTP or SMTPS in firewall rule) will break and confuse I few network admins.
Actually you are correct. This rule is not needed for a MTA Setup.
It will open a Transparent MTA Proxy, so scanning all Mails going through XG port 25.
There for the explanation of this rule is: Please adjust this to your Firewall setup.
It is a simple helper to get "every setup running" in the first place.
There was a use case of this rule in V17 to chose the outgoing WAN interface / alias in case of multiple addresses.
This is gone for V18, because now you can select a SD-WAN PBR or a NAT rule.
XG will work perfectly fine as a MTA "Proxy", if you delete this rule and activate the MTA in Device access.
So your Server and WAN Servers can communicate with the XG Interface Port 25 to deliver mails.
__________________________________________________________________________________________________________________
It proved to be more of a confusion than a helper in my case , mostly because I didn’t expect proxy like behaviour when I changed to MTA mode.
Slowly getting my head around it.
Thanks for your response and help in clarification
https://community.sophos.com/products/xg-firewall/f/recommended-reads/122602/how-to-setup-mta-mode-when-you-have-multiple-wan-ports-or-alias-ip-addresses