General settings
With general settings, you can turn XG Firewall into a mail transfer agent (MTA) or a transparent mail proxy.
Note MTA mode is available only in Sophos Firewall XG 105, Cyberoam CR25iNG, Sophos UTM
SG105, and higher models.
SMTP deployment mode
To switch between MTA and legacy modes, click the button.
As MTA, XG Firewall routes and protects emails of
protected domains on more than one mail server. You can specify inbound and
outbound mail relay, encryption, and quarantine settings, view the cause of
delay in email delivery, and view mail logs.
Note When you
turn on MTA mode, a firewall rule is created automatically to allow SMTP/SMTPS
traffic.
In legacy mode (transparent mail proxy), you can specify policies to protect emails from spam, malware, and data leakage in addition to specifying encryption settings.
Note If you’ve migrated from CyberoamOS or SFOS v15 to SFOS v16,
legacy mode is enabled by default.
Outbound banner settings
- Email banner mode
- Method of appending a banner to outgoing emails. Note To append a banner, you must select SMTP and SMTPS scanning in business application rules.
- Email banner
- Text to be appended to outgoing emails.Note You can append only text banners.
Example:
This email contains confidential information. You are not authorized to copy the contents without the sender’s consent. Do not print this email unless it is necessary. Spread environmental awareness.
Note Appending a banner to outbound emails modifies the email body. The modification breaks
the DKIM hash, which will result in DKIM verification failure at the
recipient MTA.
SMTP settings
- SMTP hostname
- SMTP hostname used in HELO and SMTP banner strings. Default hostname: “Sophos”.
- Don’t scan emails greater than
- Maximum file size (KB) for scanning. Files received over SMTP/S that exceed this size won’t be scanned. “0” sets the file size limit to 51,200 KB.
- Action for oversize emails
- Action for emails that exceed the specified size.
Name Description Accept Forwards to recipient without scanning Reject Rejects email and notifies sender Drop Drops email without notifying sender - Reject based on IP reputation
- Reject emails with bad sender IP reputation.Note XG Firewall checks the sender's IP reputation before the spam checks specified in the SMTP policy.
- SMTP DoS settings
- Protect the network from SMTP deinal-of-service
attacks.
Settings Description Acceptable range Maximum connections Connections with the mail server. Automatically set to a maximum value based on RAM and processor capacity. Maximum connections/host Connections from a host to the mail server. Automatically set to a maximum value based on RAM and processor capacity. Maximum emails/connection Emails that can be sent over a connection 1 to 1000 Maximum recipients/email Recipients of a single email 1 to 512 Emails rate Emails from a host in a minute 1 to 1000 Connections rate Connections from a host to the mail server in a second 1 to 100 Note When you upgrade to SFOS 17.5 or later, XG Firewall migrates the specified values of email rate and connection rate, if they are within the acceptable range. If the values exceed the maximum limit, it automatically sets them to the default value.
POP/S and IMAP/S settings
- Don’t scan emails greater than
- Maximum email size (in KB) for scanning. Emails received over POP/IMAP that exceed this size won’t be scanned. “0” sets the size limit to 10,240 KB.
- Recipient headers
- Header values scanned to detect the recipients specified in POP/IMAP policies. Default: Delivered-To, Received, X-RCPT-TO
SMTP TLS configuration
Specify the settings to secure SMTP traffic.
- TLS certificate
- CA certificate or server certificate to scan SMTP traffic over SSL.
- Allow invalid certificate
- Select to allow SMTP traffic over SSL connections with an invalid certificate from the mail server. To reject such connections, clear the check box.
- Disable legacy TLS protocols
- Select to turn off protocols earlier than TLS 1.1. Note To overcome TLS vulnerabilities, we recommend that you turn off legacy TLS protocols.
- Require TLS negotiation
- Select remote hosts (mail servers) or networks to enforce TLS encryption on
their connections. XG Firewall will
initiate TLS-secured connections for emails sent to the selected hosts or
networks.Note If TLS is enforced but a connection can’t be established, XG Firewall discards emails to the specified remote host or network.
- Require sender email domains
- Specify the sender domain to enforce TLS encryption on email
connections.Note If TLS is enforced but a connection can’t be established, XG Firewall discards emails from these sender domains.
- Skip TLS negotiation
- Select the remote hosts (mail servers) or networks to skip TLS encryption on their connections. XG Firewall establishes unencrypted SMTP connections to these hosts.
POP and IMAP TLS configuration
Specify the settings to secure POP/IMAP traffic.
- TLS certificate
- CA certificate to scan POP and IMAP traffic over SSL.
- Allow invalid certificate
- Select to allow POP and IMAP traffic over SSL connections with an invalid certificate from the mail server. To reject such connections, clear the check box.
- Disable legacy TLS protocols
- Select to turn off protocols earlier than TLS 1.1. Note To overcome TLS vulnerabilities, we recommend that you turn off legacy TLS protocols.
Blocked senders
Enter the email addresses to be blocked.
Malware protection
Malware protection is available in Sophos Firewall XG 105, Cyberoam CR500iNG, Sophos UTM SG105, and higher models.
XG Firewall offers scanning by two antivirus engines.
- Primary antivirus engine
- Select the primary antivirus engine to scan traffic from the options:
- Sophos
- Avira. If you select this, XG Firewall will turn off Sandstorm in SMTP policies with single antivirus scan.
Note If you’ve selected dual antivirus in the SMTP policy, the primary engine scans traffic first, and then the secondary engine scans traffic. If you’ve selected single antivirus, only the primary engine scans traffic.
Smarthost settings
Smarthost is an MTA that acts as an intermediate server between the sender's and recipient's
mail servers. Select smarthost settings to route outbound emails through the specified server.
- Hostname
- Select the smarthost.Note Don’t specify the interface IP address of XG Firewall for the smarthost. It will cause a routing loop.
- Port
- Enter the port number. Default: 25
- Authenticate device with smarthost
- Select if you want XG Firewall to authenticate the
smarthost before routing emails. Enter the sign-in credentials.Note XG Firewall supports PLAIN and LOGIN authentication protocols.
Advanced SMTP settings
- Reject invalid HELO or missing RDNS
- Select to reject emails from hosts that send invalid HELO/EHLO arguments or lack RDNS records.
- Do strict RDNS checks
- Select to reject emails from hosts with invalid RDNS records. Note An RDNS record is invalid if the hostname doesn’t resolve back to the source IP address.
- Scan outgoing mails
- Select to scan outgoing emails. Quarantines spam and malware-infected emails.
- Route inbound mail through gateway
-
Select to use the original firewall rule to route inbound mail (from external and internal senders) to your mail servers. By default, XG Firewall routes only outbound mail.Note Use the setting in these cases:
- To route inbound mail to mail servers (on-premise or hosted) in the WAN zone
- To apply the original firewall rule settings when forwarding inbound mail to mail servers in LAN or DMZ
- To maintain your IP reputation when you load balance traffic among ISP links. XG Firewall will apply the gateway settings specified in the original firewall rule.