Add an SMTP route and scan policy

You can specify routing and encryption settings for more than one domain on your internal mail servers. You can apply spam and malware checks and specify settings for data and file protection.

  1. Go to Email > Policies and exceptions and click Add a policy. Click SMTP route and scan.
  2. Enter a name.
  3. Specify the Domains and routing target details.

    Protected domain

    Add the domains to be protected for inbound (received by users within protected domains), outbound (sent by users from protected domains), and internal (among users within protected domains) emails.

    Note You can’t specify email addresses. For existing and migrated email addresses, XG Firewall will continue to apply the specified settings, but you can’t edit these addresses.

    Route by

    Select the mail server to forward the emails to.

    Static host: From Host list, select the static IP addresses of internal mail servers.

    Note If the first host in the selected list is unreachable, XG Firewall forwards emails to the next host until it reaches the end of the list.

    DNS host: Select and specify the DNS hostname, for example,

    Note For a DNS name with multiple A records, XG Firewall delivers emails randomly to each server. If a server fails, the firewall automatically routes emails to the other servers.

    MX: Select to route emails based on MX records.

    Global action

    Action to take for emails related to protected domains.

    Accept: Accepts email

    Reject: Rejects email and notifies sender

    SPX template

    Select the encryption template for outbound emails.

  4. Turn on Spam protection.

    Check for inbound spam

    Select to check for spam in inbound emails.

    Use greylisting

    Select if you want to temporarily reject inbound emails from IP addresses of unknown mail servers.

    Note Legitimate servers retry sending the rejected emails at regular intervals. XG Firewall accepts these emails, greylisting the sender’s IP address for a certain duration.

    Reject based on SPF

    With Sender Policy Framework (SPF), XG Firewall verifies the IP address of the sender’s authorized mail server in DNS records and rejects emails from unauthorized servers.

    Reject based on RBL

    Select the RBL services to reject emails from sender IP addresses in these lists.

    Recipient verification


    With callout: Checks recipient email address with the user account on the destination mail server. XG Firewall rejects emails to users that don’t exist. It accepts emails to recipients if the mail server is unreachable for a certain duration.

    In Active Directory: Verifies recipients of inbound emails with the AD server over simple, SSL, and STARTTLS protocols. Specify the AD server, bind DN, and base DN.

    Bind DN is the full distinguished name (DN), including the common name (CN) of the administrator user configured in the AD server that you’ve specified.


    Base DN is the base distinguished name (DN), which is the starting point of searches in the AD server.


    Note Verification times out in 30 seconds.

    Spam action

    Probable spam action

    Specify the actions.


    Warn: Specify the subject prefix. Delivers email to recipient after adding a prefix to the subject.


    Drop: Drops email without notifying sender

    Note These actions don’t apply to SPF and RBL checks. If these checks fail, XG Firewall will reject the email.
  5. Turn on Malware protection.


    Select the action for antivirus scanning.

    Disable: Emails aren’t scanned

    Single antivirus: Primary antivirus engine scans emails

    Dual antivirus: Primary and secondary engines scan emails sequentially
    Note You can specify the primary antivirus engine in general settings.
    Note In models lower than Sophos Firewall XG 105, you can turn on scanning only with the primary antivirus engine.

    Detect zero-day threats with Sandstorm

    Select to send emails for Sandstorm analysis and specify the maximum file size that can be analyzed. Larger files won’t be analyzed.

    Note To implement Sandstorm analysis with single antivirus scanning, specify Sophos as the primary antivirus engine.

    Selected antivirus action

    Specify the action.

    • None
    • Drop: Drops email without notifying sender
    • Quarantine

    Notify sender

    Select to notify senders about infected emails.

    Quarantine unscannable content

    Select to quarantine emails that can’t be scanned, for example, corrupt, encrypted, compressed files, oversized emails, and emails that couldn’t be scanned due to an internal error.

  6. Turn on File protection to filter attachments.
    Block file types Select the type of attachments to block. To select more than one file type, press Ctrl+Shift. MIME headers populate the MIME whitelist.

    All: Blocks emails with attachments

    None: Allows emails with attachments

    MIME whitelist To allow certain file types, select their MIME headers. Antivirus scanning blocks the remaining file types.
    Drop message greater than Enter the maximum file size to scan. Larger emails are dropped.
  7. Turn on Data protection.

    Data control list

    Select from the list to scan for sensitive information in outbound emails.

    Data control list action

    Select the action.

    Accept: Delivers email

    Accept with SPF: SPX-encrypts and delivers email. Select the SPX template to apply.

    Drop: Drops email without notifying sender

    Notify sender

    Select to notify senders about sensitive information.

    Note You can create data control lists from the content control list (CCL). CCLs are based on common financial and personally identifiable data types, for example, credit card or social security numbers, postal or email addresses.
    Note XG Firewall first checks outbound emails from protected domains and applies the specified SPX template. If you haven’t specified one and if XG Firewall finds a data match, it applies the custom SPX template specified for data protection. For emails that don’t raise these two triggers, if it finds a sender-specified header match, it applies the SPX template specified for the sender trigger.
    Note XG Firewall matches policy settings with visible content as well as content of file packages (file formats that include zip-compressed files, for example, docx, xlsx, pptx, odt, ods, odp, odg).
    Note Applying SPX encryption, adding a subject prefix, blocking file types, or appending a banner to outbound emails modifies the email header or body. The modification breaks the DKIM hash, which will result in DKIM verification failure at the recipient MTA.
  8. Click Save.