Add an SMTP route and scan policy
You can specify routing and encryption settings for more than one domain on your internal mail servers. You can apply spam and malware checks and specify settings for data and file protection.
- Go to Email > Policies and exceptions and click Add a policy. Click SMTP route and scan.
- Enter a name.
-
Specify the Domains and routing target details.
Option Description Protected domain
Add the domains to be protected for inbound (received by users within protected domains), outbound (sent by users from protected domains), and internal (among users within protected domains) emails.
Note You can’t specify email addresses. For existing and migrated email addresses, XG Firewall will continue to apply the specified settings, but you can’t edit these addresses.Route by
Select the mail server to forward the emails to.
Static host: From Host list, select the static IP addresses of internal mail servers.
Note If the first host in the selected list is unreachable, XG Firewall forwards emails to the next host until it reaches the end of the list.DNS host: Select and specify the DNS hostname, for example, mailserver.example.com.
Note For a DNS name with multiple A records, XG Firewall delivers emails randomly to each server. If a server fails, the firewall automatically routes emails to the other servers.MX: Select to route emails based on MX records.
Global action
Action to take for emails related to protected domains.
Accept: Accepts email
Reject: Rejects email and notifies sender
SPX template
Select the encryption template for outbound emails.
-
Turn on Spam protection.
Option Description Check for inbound spam
Select to check for spam in inbound emails.
Use greylisting
Select if you want to temporarily reject inbound emails from IP addresses of unknown mail servers.
Note Legitimate servers retry sending the rejected emails at regular intervals. XG Firewall accepts these emails, greylisting the sender’s IP address for a certain duration.Reject based on SPF
With Sender Policy Framework (SPF), XG Firewall verifies the IP address of the sender’s authorized mail server in DNS records and rejects emails from unauthorized servers.
Reject based on RBL
Select the RBL services to reject emails from sender IP addresses in these lists.
Recipient verification
Off
With callout: Checks recipient email address with the user account on the destination mail server. XG Firewall rejects emails to users that don’t exist. It accepts emails to recipients if the mail server is unreachable for a certain duration.
In Active Directory: Verifies recipients of inbound emails with the AD server over simple, SSL, and STARTTLS protocols. Specify the AD server, bind DN, and base DN.
Bind DN is the full distinguished name (DN), including the common name (CN) of the administrator user configured in the AD server that you’ve specified.
CN=Administrator,CN=Users,DC=example,DC=com
Base DN is the base distinguished name (DN), which is the starting point of searches in the AD server.
DC=example,DC=com
Note Verification times out in 30 seconds.Spam action
Probable spam action
Specify the actions.
None
Warn: Specify the subject prefix. Delivers email to recipient after adding a prefix to the subject.
Quarantine
Drop: Drops email without notifying sender
Note These actions don’t apply to SPF and RBL checks. If these checks fail, XG Firewall will reject the email. -
Turn on Malware protection.
Option Description Scanning
Select the action for antivirus scanning.
Disable: Emails aren’t scanned
Single antivirus: Primary antivirus engine scans emails
Dual antivirus: Primary and secondary engines scan emails sequentiallyNote You can specify the primary antivirus engine in general settings.Note In models lower than Sophos Firewall XG 105, you can turn on scanning only with the primary antivirus engine.Detect zero-day threats with Sandstorm
Select to send emails for Sandstorm analysis and specify the maximum file size that can be analyzed. Larger files won’t be analyzed.
Note To implement Sandstorm analysis with single antivirus scanning, specify Sophos as the primary antivirus engine.Selected antivirus action
Specify the action.
- None
- Drop: Drops email without notifying sender
- Quarantine
Notify sender
Select to notify senders about infected emails.
Quarantine unscannable content
Select to quarantine emails that can’t be scanned, for example, corrupt, encrypted, compressed files, oversized emails, and emails that couldn’t be scanned due to an internal error.
-
Turn on File protection to filter
attachments.
Option Description Block file types Select the type of attachments to block. To select more than one file type, press Ctrl+Shift. MIME headers populate the MIME whitelist. All: Blocks emails with attachments
None: Allows emails with attachments
MIME whitelist To allow certain file types, select their MIME headers. Antivirus scanning blocks the remaining file types. Drop message greater than Enter the maximum file size to scan. Larger emails are dropped. -
Turn on Data protection.
Option Description Data control list
Select from the list to scan for sensitive information in outbound emails.
Data control list action
Select the action.
Accept: Delivers email
Accept with SPF: SPX-encrypts and delivers email. Select the SPX template to apply.
Drop: Drops email without notifying sender
Notify sender
Select to notify senders about sensitive information.
Note You can create data control lists from the content control list (CCL). CCLs are based on common financial and personally identifiable data types, for example, credit card or social security numbers, postal or email addresses.Note XG Firewall first checks outbound emails from protected domains and applies the specified SPX template. If you haven’t specified one and if XG Firewall finds a data match, it applies the custom SPX template specified for data protection. For emails that don’t raise these two triggers, if it finds a sender-specified header match, it applies the SPX template specified for the sender trigger.Note XG Firewall matches policy settings with visible content as well as content of file packages (file formats that include zip-compressed files, for example, docx, xlsx, pptx, odt, ods, odp, odg).Note Applying SPX encryption, adding a subject prefix, blocking file types, or appending a banner to outbound emails modifies the email header or body. The modification breaks the DKIM hash, which will result in DKIM verification failure at the recipient MTA. - Click Save.