Add an SMTP route and scan policy

You can specify routing and encryption settings for more than one domain on your internal mail servers. You can apply spam and malware checks and specify settings for data and file protection.

1. Go to Email > Policies and exceptions and click Add a policy. Click SMTP route and scan.
2. Enter a name.
3. Specify the Domains and routing target details.

   Option	Description
   Protected domain	Add the domains to be protected for inbound (received by users within protected domains), outbound (sent by users from protected domains), and internal (among users within protected domains) emails. Note You can’t specify email addresses. For existing and migrated email addresses, XG Firewall will continue to apply the specified settings, but you can’t edit these addresses.
   Route by	Select the mail server to forward the emails to. Static host: From Host list, select the static IP addresses of internal mail servers. Note If the first host in the selected list is unreachable, XG Firewall forwards emails to the next host until it reaches the end of the list. DNS host: Select and specify the DNS hostname, for example, mailserver.example.com. Note For a DNS name with multiple A records, XG Firewall delivers emails randomly to each server. If a server fails, the firewall automatically routes emails to the other servers. MX: Select to route emails based on MX records.
   Global action	Action to take for emails related to protected domains. Accept: Accepts email Reject: Rejects email and notifies sender
   SPX template	Select the encryption template for outbound emails.

4. Turn on Spam protection.

   Option	Description
   Check for inbound spam	Select to check for spam in inbound emails.
   Use greylisting	Select if you want to temporarily reject inbound emails from IP addresses of unknown mail servers. Note Legitimate servers retry sending the rejected emails at regular intervals. XG Firewall accepts these emails, greylisting the sender’s IP address for a certain duration.
   Reject based on SPF	With Sender Policy Framework (SPF), XG Firewall verifies the IP address of the sender’s authorized mail server in DNS records and rejects emails from unauthorized servers.
   Reject based on RBL	Select the RBL services to reject emails from sender IP addresses in these lists.
   Recipient verification	Off With callout: Checks recipient email address with the user account on the destination mail server. XG Firewall rejects emails to users that don’t exist. It accepts emails to recipients if the mail server is unreachable for a certain duration. In Active Directory: Verifies recipients of inbound emails with the AD server over simple, SSL, and STARTTLS protocols. Specify the AD server, bind DN, and base DN. Bind DN is the full distinguished name (DN), including the common name (CN) of the administrator user configured in the AD server that you’ve specified. CN=Administrator,CN=Users,DC=example,DC=com Base DN is the base distinguished name (DN), which is the starting point of searches in the AD server. DC=example,DC=com Note Verification times out in 30 seconds.
   Spam action Probable spam action	Specify the actions. None Warn: Specify the subject prefix. Delivers email to recipient after adding a prefix to the subject. Quarantine Drop: Drops email without notifying sender Note These actions don’t apply to SPF and RBL checks. If these checks fail, XG Firewall will reject the email.

5. Turn on Malware protection.

   Option	Description
   Scanning	Select the action for antivirus scanning. Disable: Emails aren’t scanned Single antivirus: Primary antivirus engine scans emails Dual antivirus: Primary and secondary engines scan emails sequentially Note You can specify the primary antivirus engine in general settings. Note In models lower than Sophos Firewall XG 105, you can turn on scanning only with the primary antivirus engine.
   Detect zero-day threats with Sandstorm	Select to send emails for Sandstorm analysis and specify the maximum file size that can be analyzed. Larger files won’t be analyzed. Note To implement Sandstorm analysis with single antivirus scanning, specify Sophos as the primary antivirus engine.
   Selected antivirus action	Specify the action. None Drop: Drops email without notifying sender Quarantine
   Notify sender	Select to notify senders about infected emails.
   Quarantine unscannable content	Select to quarantine emails that can’t be scanned, for example, corrupt, encrypted, compressed files, oversized emails, and emails that couldn’t be scanned due to an internal error.

6. Turn on File protection to filter attachments.

   Option	Description
   Block file types	Select the type of attachments to block. To select more than one file type, press Ctrl+Shift. MIME headers populate the MIME whitelist. All: Blocks emails with attachments None: Allows emails with attachments
   MIME whitelist	To allow certain file types, select their MIME headers. Antivirus scanning blocks the remaining file types.
   Drop message greater than	Enter the maximum file size to scan. Larger emails are dropped.

7. Turn on Data protection.

   Option	Description
   Data control list	Select from the list to scan for sensitive information in outbound emails.
   Data control list action	Select the action. Accept: Delivers email Accept with SPF: SPX-encrypts and delivers email. Select the SPX template to apply. Drop: Drops email without notifying sender
   Notify sender	Select to notify senders about sensitive information.

   Note You can create data control lists from the content control list (CCL). CCLs are based on common financial and personally identifiable data types, for example, credit card or social security numbers, postal or email addresses.

   Note XG Firewall first checks outbound emails from protected domains and applies the specified SPX template. If you haven’t specified one and if XG Firewall finds a data match, it applies the custom SPX template specified for data protection. For emails that don’t raise these two triggers, if it finds a sender-specified header match, it applies the SPX template specified for the sender trigger.

   Note XG Firewall matches policy settings with visible content as well as content of file packages (file formats that include zip-compressed files, for example, docx, xlsx, pptx, odt, ods, odp, odg).

   Note Applying SPX encryption, adding a subject prefix, blocking file types, or appending a banner to outbound emails modifies the email header or body. The modification breaks the DKIM hash, which will result in DKIM verification failure at the recipient MTA.
8. Click Save.