General settings

With general settings, you can turn XG Firewall into a mail transfer agent (MTA) or a transparent mail proxy.

SMTP deployment mode

To switch between MTA and legacy modes, click the button.

In legacy mode (transparent mail proxy), you can specify policies to protect emails from spam, malware, and data leakage. You can also specify encryption settings.

In MTA mode, XG Firewall routes and protects emails of protected domains on more than one mail server. You can specify inbound and outbound mail relay, and configure encryption and quarantine settings. You can also view the cause of delay in email delivery and view mail logs.
Note If you've migrated from CyberoamOS or SFOS v15 to SFOS v16, legacy mode is automatically enabled.

Outbound banner settings

Email banner mode
The method of adding a banner to outgoing emails.
Note To add a banner, you must select SMTP and SMTPS scanning in firewall rules.
Email banner
Text added to outgoing emails.
Note You can only add text banners.

Example:

This email contains confidential information. You are not authorized to copy the contents without the sender's consent. Print this email only if it's necessary. Spread environmental awareness.

SMTP settings

SMTP hostname
SMTP hostname used in HELO and SMTP banner strings. Default hostname: Sophos.
Note Applicable only to system-generated notification emails.
Don't scan emails greater than
Maximum file size (KB) for scanning. Files received over SMTP/S that exceed this size won't be scanned. 0 sets the file size limit to 51,200 KB.
Action for oversize emails
Action for emails that exceed the specified size.

Name

Description

Accept

Forwards to the recipient without scanning.

Reject Rejects the email and notifies the sender.
Drop Drops the email without notifying the sender.
Bypass spam check for SMTP/S authenticated connections
Bypasses spam check for emails received over SMTP/S connections that are authenticated by the mail server.
Verify sender's IP reputation
Verifies reputation of sender’s IP address. Specify action for spam and probable spam.
Note XG Firewall checks the sender's IP reputation before the spam checks specified in the SMTP policy.
Accept Scans and forwards to recipient
Reject Rejects the email and notifies the sender.
Drop Drops the email without notifying the sender.
SMTP DoS settings
Protect the network from SMTP denial-of-service attacks.

Settings

Description

Acceptable range

Maximum connections Connections that can be established with mail server. 1 to 20000
Maximum connections/host Connections allowed from a host to mail server. 1 to 10000
Maximum emails/connection

Emails that can be sent over a connection

1 to 1000

Maximum recipients/email Recipients of a single email 1 to 256
Emails rate Emails from a host in a minute 1 to 20000
Connections rate Connections from a host to the mail server in a second 1 to 20000

POP/S and IMAP/S settings

Don't scan emails greater than
Maximum email size (in KB) for scanning. Emails received over POP/IMAP that exceed this size won't be scanned. 0 sets the size limit to 10,240 KB.
Recipient headers
Header values scanned to detect the recipients specified in POP/IMAP policies. Default: Delivered-To, Received, X-RCPT-TO

SMTP TLS configuration

Specify the settings to secure SMTP traffic.

TLS certificate
CA certificate or server certificate to scan SMTP traffic over SSL.
Allow invalid certificate
Select to allow SMTP traffic over SSL connections with an invalid certificate from the mail server. To reject such connections, clear the check-box.
Disable legacy TLS protocols
Select to turn off protocols earlier than TLS 1.1.
Note To overcome TLS vulnerabilities, we recommend that you turn off legacy TLS protocols.
Require TLS negotiation
Select remote hosts (mail servers) or networks to enforce TLS encryption on their connections. XG Firewall will initiate TLS-secured connections for emails sent to the selected hosts or networks. You can specify up to 512 host entries.
Note If TLS is enforced but a connection can't be established, XG Firewall discards emails to the specified remote host or network.
Require sender email domains
Specify the sender domain to enforce TLS encryption on email connections. You can specify up to 512 host entries.
Note If TLS is enforced but a connection can't be established, XG Firewall discards emails from these sender domains.
Skip TLS negotiation
Select the remote hosts (mail servers) or networks to skip TLS encryption on their connections. XG Firewall establishes unencrypted SMTP connections to these hosts. You can specify up to 512 host entries.

POP and IMAP TLS configuration

Specify the settings to secure POP/IMAP traffic.

TLS certificate
CA certificate to scan POP and IMAP traffic over SSL.
Allow invalid certificate
Select to allow POP and IMAP traffic over SSL connections with an invalid certificate from the mail server. To reject such connections, clear the check-box.
Disable legacy TLS protocols
Select to turn off protocols earlier than TLS 1.1.
Note To overcome TLS vulnerabilities, we recommend that you turn off legacy TLS protocols.

Email journaling

You can store incoming emails of one or more recipients and forward these emails to administrators.
  • To add an email journal, click Add.

Spam check exceptions

Domain name
Enter the domains for which you want to skip spam checks.

Malware protection

Malware protection is available in Sophos Firewall XG 105, Cyberoam CR500iNG, Sophos UTM SG105, and later models.

XG Firewall offers scanning by two antivirus engines.

Primary antivirus engine

Select the primary antivirus engine to scan traffic from the following options:

  • Sophos
  • Avira. If you select this, XG Firewall will turn off Sandstorm in SMTP policies with single antivirus scan.
Note If you've selected dual antivirus in the SMTP policy, the primary engine scans traffic first, and then the secondary engine scans traffic. If you've selected single antivirus, only the primary engine scans traffic.