This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM Email Protection Setup Network Design

Hi All,

             I am new to Sophos UTM Email Protection, need some assistance from the experts. I have my Sophos UTM (multiple subscriptions e.g. WAF, Email Protection etc.) in DMZLAN, the (Internal) Email Servers are also in DMZLAN. All network segments are using  another Firewall as Gateway. 

To ensure that both incoming and outgoing Emails are secured/processed by Sophos UTM Email Protection, what I have to do on the Firewall (Gateway) or on Sophos UTM (apart from configuring the Email Protection section described in "Basic Exchange setup with SMTP Proxy"  community blog).

so my main question is how/what traffic  to redirect to Sophos UTM as it is not the Default GW for incoming/outgoing Email traffic. Can someone pleases elaborate detailed steps?

Thanks in Advance


This thread was automatically locked due to age.
  • You should use the Sophos UTM IP as Smarthost in your Mailserver (so all mails flow outgoing to this IP/Sophos UTM) and allow the IP of the Mailserver as allowed host for relay in the SMTP Profile (option relay) of the UTM (so that the UTM will accept the Mails from your Mailserver) .

    Additionally you have to check if your Mailserver needs an additional route to the Sophos UTM if your Mailserver use an other Gateway as Default GW. (Traffic UTM < - > Mailserver must be possible!)

    Hint: Also check your Domain E-Mail Spam-Settings (RDNS / SPF / MX) if your UTM should receive and send mails from/to the Internet. ( works well to check that)



  • Hello,

    at least you need to forward tcp port 25 on your other firewall/gateway to the IP of the Sophos UTM so that external mails are reaching your new mail-gateway. I would do this with a DNAT on the other firewall.

    This is in addition to what Steve Weißflog already said.

    Next thing is to either route all outgoing traffic to the internet to your default-gateway, or to use a smarthost at your ISP. Either wy, you wil have to setup a firewall rule on your existing firewall to allow that traffic.

    When this is done, you can concentrate on the mail setup at your Sophos UTM. That's where we can help you further.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • Dear Steve,

                           Thank you very much for your email. I am using ATMail 6.5 version (bit old). I couldn't really find smarthost IP option in Web GUI (admin console).  The MAIL Server and Sophos EMail Protection are in the same LAN and reachable. 

  • Thanks Phillip for your reply as well.  Really appreciate your help. Will configure port forwarding of SMTP traffic to Sophos UTM on my Gateway.

  • You can just use google ATMail 6.5 and smarthost...

    I don´t know ATMail 6.5...

  • Hallo and welcome to the UTM Community!

    If you're still fighting this, try Basic Exchange setup with SMTP Proxy which works with most mail servers whether internal or external.

    Cheers - Bob

    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thank you very much Bob. Its done.  I couldn't find Smart Host option in my Atmail server but just relied on forwarding SMTP traffic towards Sophos UTM instead of Mail Server.