Device Configuration : Protect : Email : General Settings
General Settings
This feature requires a subscription in Sophos XG Firewall. It can be configured but cannot be enforced without a valid Email Protection subscription.
Email Configuration allows configuring the general settings on Email traffic. This page contains the following sections.
SMTP Deployment Mode
MTA Mode
Click to enable Mail Transfer Agent (MTA). When disabled, Sophos XG Firewall Device act as transparent proxy. When acting as MTA, SF Device is responsible for routing Emails to and from the protected Email Server(s). In this state:
Sophos XG Firewall Device allows to configure relay of inbound and outbound Emails from Device Configuration > Protect > Email > Relay Settings .
Sophos XG Firewall Device allows to set up multiple SMTP Profiles to protect multiple Domains on your internal Email Server or multiple Email Servers from Device Configuration > Protect > Email > Email Policies > SMTP Profiles .
Banner Settings
Append Banner to All Outbound Messages
Enable to add a banner at the end of all outgoing Email messages.
The banner is appended ONLY when SMTP and SMTPS Scanning is enabled in the relevant Business Application Policy(s).
Email Banner
Specify banner to be added to all the outgoing Emails. Only text banners are allowed.
Example:
This email contains confidential information. You are not authorized to copy the contents without the consent of the sender. Please do not print this email unless it is absolutely necessary. Spread environmental awareness.
SMTP/S Settings
SMTP Hostname
Specify the SMTP/S hostname to be used in HELO and SMTP banner strings. By default, Device uses 'Sophos' as hostname.
Don't Scan Emails Greater Than
Specify maximum file size (in KB) for scanning. Files exceeding this size received through SMTP/S will not be scanned.
Default - 0 KB
Specify 0 to increase the default file size scanning restriction to 51200 KB.
Action for Oversize Emails
Specify the action for Oversize Emails.
Available Options
* Accept: All the oversize mails are forwarded to the recipient without scanning.
* Reject: All the oversize mails are rejected and sender is notified.
* Drop: All the oversized mails are dropped, without notifying the sender.
* Default - Accept
Bypass Spam Check for SMTP/S Authenticated Connections
Enable to bypass Spam Scanning for Email messages received over SMTP/S connections authenticated by the Email Server.
Verify Sender's IP Reputation
Click to verify the reputation of the sender IP Address. When enabled, Device dynamically checks the sender’s IP Address of all Emails. If the IP Address is found to be responsible for sending Spam Emails or malicious contents, Device takes action as per configured Scanning Rules.
If enabled, specify action for Confirmed Spam Emails and Probable Spam Emails.
Available Options
* Accept: All the spam Emails are forwarded to the recipient after scanning as per the configuration.
* Reject: All the spam mails are rejected and a notification is sent to the Email sender.
* Drop: All the spam mails are dropped, without notifying the sender.
As it is a global option, if Spam scanning is enabled, all the mails will be first subjected to IP Reputation filtering followed by filtering based on actions configured in Spam policy.
Default - Disable
SMTP DoS Settings
Enable to configure SMTP DoS Settings which protect the network from SMTP DoS Attacks.
If enabled, specify values for Maximum Connections, Maximum Connections/Host, Maximum Emails/Connection, Maximum Recipients/Email, Email Rate per Minute/Host and Connections Rate per Second/Host.
Maximum Connections (Available if SMTP DoS Settings Enabled)
Specify maximum number of connections that can be established with the Email Server.
Default - 1024
Range - 1 - 20000
Maximum Connections/Host (Available if SMTP DoS Settings Enabled)
Specify maximum number of connections allowed to the Email Server from a particular host.
Default - 64
Range - 1 - 10000
Maximum Emails/Connection (Available if SMTP DoS Settings Enabled)
Specify maximum number of Emails that can be sent in a single Connection.
Default - 512
Range - 1 - 1000
Maximum Recipients/Email (Available if SMTP DoS Settings Enabled)
Specify maximum number of Recipients for a single Email.
Default - 100
Range - 1 - 256
Email Rate per Minute/Host (Available if SMTP DoS Settings Enabled)
Specify number of Emails to be sent from a particular host in one Minute.
Default - 512
Range - 1 - 20000
Connection Rate per Second/Host (Available if SMTP DoS Settings Enabled)
Specify number of Connections allowed to the Email Server from a particular host in one Second.
Default - 8
Range - 1 - 20000
POP/S and IMAP/S Settings
Don't Scan Emails Greater Than
Specify maximum file size (in KB) for scanning. Files exceeding this size received through POP/IMAP will not be scanned.
Default - 1024 KB
Specify 0 to increase the default file size restriction to 10240 KB.
Recipient Headers
Specify Header value to detect recipient for POP3/IMAP.
Default - Delivered-To, Received, X-RCPT-TO
SMTP TLS Configuration
TLS Certificate
Select the CA for scanning SMTP traffic over SSL from the available options.
Available Options
* Default
* SecurityAppliance_SSL_CA
* List of custom CAs if added. You can create the custom CA from Device Configuration > Configure > VPN > Certificate Authority .
Allow Invalid Certificate
If enabled, SMTP over SSL connections will be allowed with invalid certificate from the Email Server. Disable to reject such connections.
Default - Enable
Require TLS Negotiation with Host/Net
Select the remote host (Email Server) or network from available options on whose connections TLS encryption is to be enforced. In other words, Device will always initiate TLS-secured connections when Emails are to be sent to selected hosts/networks. If TLS is enforced but connection cannot be established, then Emails to that remote host/network are discarded.
Require TLS Negotiation with Sender Domain
Specify the Sender Domain(s) on whose Email connections TLS encryption is to be enforced.
Sender Domain is the Domain of the Email Sender. Emails from the specified Sender Domain will be sent over TLS-encrypted connections only. If TLS is enforced but connection cannot be established, then Emails from that sender domain are discarded.
Skip TLS Negotiation Hosts/Nets
Select the remote host (Email Server) or network from available options on whose connections TLS encryption is to be skipped or bypassed. When configured, SMTP connections to selected hosts will be established in clear text and unencrypted.
POP and IMAP TLS Configuration
TLS Certificate
Select the CA for scanning POP and IMAP traffic over SSL from the available options.
Available Options
* Default
* SecurityAppliance_SSL_CA
* List of custom CAs if added
Default - Default
Allow Invalid Certificate
If enabled, POP and IMAP over SSL connections will be allowed with invalid certificate from the Mail Server. Disable to reject such connections.
Default - Enable
Apply
Click to save the configuration.
Email Journaling
Email being one of the most important communication and business tool in use by organizations, Email Journaling has become an integral part of every organization. An email journal is a repository to preserve Emails for compliance and operational purposes.
Using Device Email Journal, the administrator can archive all Emails, Emails of a specific recipient or a group of recipients coming into the organization and thereby keep a close watch over data leakage.
The Device can archive all Emails intended for a single or multiple recipients and can forward to the single administrator or multiple administrators.
This section displays list of journals created and provides option to add a new journal, update the parameters of existing journal, or delete the journal. You can filter the list based on recipient name.
Spam Check Exceptions
To bypass spam scanning of certain domains, define the domains as Spam Check Exceptions. The page lists all the domains configured to be exempted from spam scanning.
It also provides option to add a new domain and delete the existing domain.
Domain Name
Enter a valid domain name.
Add
Click to add the domain entered in Domain Name.
Apply
Click to save the configuration.
Malware Protection
Sophos XG Firewall offers Dual Anti-Virus Scanning, wherein traffic is scanned by Two (2) Anti-Virus Engines. Traffic is first scanned by the Primary Engine, and then the Secondary Engine. You can configure managed Sophos XG Firewall device(s) for Malware Protection using the following settings:
* Dual Anti-Virus is not available in Sophos XG Firewall device Models SF100 and SF200. For them, ONLY Single Anti-Virus CYREN is available.
* You can also view and manage these settings from Device Configuration > Configure > System Services > Malware Protection .
* You can manage the Anti-Virus service from Device Configuration > Monitor and Analyze > Diagnostics > Services .
Primary Anti-Virus Engine
Select the Primary Anti-Virus Engine to be used for traffic scanning. For Dual Scan, packets are first scanned by the Primary Engine and then by the Secondary Engine. For Single Scan, only the Primary Engine is used.
Available Options
* Sophos Engine
* Avira Engine
Apply
Click to save the configuration.
Smarthost Settings
A smarthost is a Mail Transfer Agent (MTA) which acts as an intermediate server between the sender's and recipient's mail servers. On configuring a smarthost, the device redirects outbound emails to the designated server, which are then routed to the recipient's mail server.
You can enable Use Smarthost from Device Configuration > Protect > Email > General Settings .
Hostname
Select the host that will act as a smarthost.
* You cannot configure Smarthost as the device's interface IP address. It will result in a routing loop.
Port
Enter the port number.
Default: 25
Authenticate Device with Smarthost
Select if the smarthost requires the device to authenticate before routing emails. Both plain and login authentication types are supported. Enter a Username and Password.
Advanced SMTP Settings
Reject invalid HELO or missing RDNS
Select this option if you want to reject hosts that send invalid HELO/EHLO arguments or lack RDNS entries. Select Do strict RDNS checks if you want to additionally reject email from hosts with invalid RDNS records. An RDNS record is invalid if the found hostname does not resolve back to the original IP address.
Scan Outgoing Mails
Enable to scan all outgoing email traffic. Email is quarantined if found to be malware infected, or marked as Spam.
Apply
Click to save the configuration.