General settings

With general settings, you can turn XG Firewall into a mail transfer agent (MTA) or a transparent mail proxy.

Note MTA mode is available only with the following models and higher: XG105, Cyberoam CR25iNG, SG105.

SMTP deployment mode

To switch between MTA and legacy modes, click the button.

In MTA mode, XG Firewall routes and protects emails of protected domains on more than one mail server. You can specify inbound and outbound mail relay, and configure encryption and quarantine settings. You can also view the cause of delay in email delivery and view mail logs.

Note When you turn on MTA mode, a firewall rule is created automatically to allow SMTP/SMTPS traffic. We recommend that you keep this rule at the top of the firewall rule table.

In legacy mode (transparent mail proxy), you can specify policies to protect emails from spam, malware, and data leakage. You can also specify encryption settings.

Note If you've migrated from CyberoamOS or SFOS v15 to SFOS v16, legacy mode is automatically enabled.

Outbound banner settings

Email banner mode
The method of adding a banner to outgoing emails.
Note To add a banner, you must select SMTP and SMTPS scanning in firewall rules.
Email banner
Text added to outgoing emails.
Note You can only add text banners.

Example:

This email contains confidential information. You are not authorized to copy the contents without the sender's consent. Print this email only if it's necessary. Spread environmental awareness.

Note If you add a banner to outbound emails, it modifies the email body. The modification breaks the DKIM hash, which results in DKIM verification failure at the recipient MTA.

SMTP settings

SMTP hostname
SMTP hostname used in HELO and SMTP banner strings. Default hostname: Sophos.
Don't scan emails greater than
Maximum file size (KB) for scanning. Files received over SMTP/S that exceed this size won't be scanned. 0 sets the file size limit to 51,200 KB.
Action for oversize emails
Action for emails that exceed the specified size.

Name

Description
Accept

Forwards to the recipient without scanning.
Reject Rejects the email and notifies the sender.
Drop Drops the email without notifying the sender.
Reject based on IP reputation
Reject emails with bad sender IP reputation.
Note XG Firewall checks the sender's IP reputation before the spam checks specified in the SMTP policy.
SMTP DoS settings
Protect the network from SMTP denial-of-service attacks.

Settings

Description

Acceptable range
Maximum connections

Connections with the mail server. Automatically set to a maximum value based on RAM and processor capacity.
Maximum connections/host

Connections from a host to the mail server. Automatically set to a maximum value based on RAM and processor capacity.
Maximum emails/connection

Emails that can be sent over a connection.

1 to 1000
Maximum recipients/email Recipients of a single email.

1 to 512
Emails rate Emails from a host in a minute.

1 to 1000
Connections rate Connections from a host to the mail server in a second.

1 to 100
Note When you upgrade to SFOS 17.5 or later, XG Firewall migrates the specified values of email rate and connection rate, if they are within the acceptable range. If the values exceed the maximum limit, it automatically sets them to the default value.

POP/S and IMAP/S settings

Don't scan emails greater than
Maximum email size (in KB) for scanning. Emails received over POP/IMAP that exceed this size won't be scanned. 0 sets the size limit to 10,240 KB.
Recipient headers
Header values scanned to detect the recipients specified in POP/IMAP policies. Default: Delivered-To, Received, X-RCPT-TO

Ports

XG Firewall uses the following standard ports for emails:

  • SMTP: Port 25
  • SMTPS: Port 465
  • POP3: Connection upgraded to SSL/TLS using STARTTLS extension on port 110
  • POP3S: SSL/TLS over POP3 on port 995
  • IMAP: Connection upgraded to SSL/TLS using STARTTLS extension on port 143
  • IMAPS: SSL/TLS over POP3 on port 993

STARTTLS upgrades unsecured POP3/IMAP connections to SSL/TLS sessions on the same port.

Note You can also configure email scanning for ports other than the standard ports 25, 587, and 465.

SMTP TLS configuration

Specify the settings to secure SMTP traffic.

TLS certificate
CA certificate or server certificate to scan SMTP traffic over SSL.
Allow invalid certificate
Select to allow SMTP traffic over SSL connections with an invalid certificate from the mail server. To reject such connections, clear the check-box.
Disable legacy TLS protocols
Select to turn off protocols earlier than TLS 1.1.
Note To overcome TLS vulnerabilities, we recommend that you turn off legacy TLS protocols.
Require TLS negotiation
Select remote hosts (mail servers) or networks to enforce TLS encryption on their connections. XG Firewall will initiate TLS-secured connections for emails sent to the selected hosts or networks. You can specify up to 512 host entries.
Note If TLS is enforced but a connection can't be established, XG Firewall discards emails to the specified remote host or network.
Require sender email domains
Specify the sender domain to enforce TLS encryption on email connections. You can specify up to 512 host entries.
Note If TLS is enforced but a connection can't be established, XG Firewall discards emails from these sender domains.
Skip TLS negotiation
Select the remote hosts (mail servers) or networks to skip TLS encryption on their connections. XG Firewall establishes unencrypted SMTP connections to these hosts. You can specify up to 512 host entries.

POP and IMAP TLS configuration

Specify the settings to secure POP/IMAP traffic.

TLS certificate
CA certificate to scan POP and IMAP traffic over SSL.
Allow invalid certificate
Select to allow POP and IMAP traffic over SSL connections with an invalid certificate from the mail server. To reject such connections, clear the check-box.
Disable legacy TLS protocols
Select to turn off protocols earlier than TLS 1.1.
Note To overcome TLS vulnerabilities, we recommend that you turn off legacy TLS protocols.

Blocked senders

Enter the email addresses to be blocked.

Malware protection

Malware protection is available in Sophos Firewall XG 105, Cyberoam CR500iNG, Sophos UTM SG105, and later models.

XG Firewall offers scanning by two antivirus engines.

Primary antivirus engine

Select the primary antivirus engine to scan traffic from the following options:

  • Sophos
  • Avira. If you select this, XG Firewall will turn off Sandstorm in SMTP policies with single antivirus scan.
Note If you've selected dual antivirus in the SMTP policy, the primary engine scans traffic first, and then the secondary engine scans traffic. If you've selected single antivirus, only the primary engine scans traffic.

Smarthost settings

Smarthost is an MTA that acts as an intermediate server between the sender's and recipient's mail servers. Select smarthost settings to route outbound emails through the specified server.
Hostname
Select the smarthost.
Note Don't specify the interface IP address of XG Firewall for the smarthost. It will cause a routing loop.
Port
Enter the port number. Default: 25
Authenticate device with smarthost
Select if you want XG Firewall to authenticate the smarthost before routing emails. Enter the sign-in credentials.
Note XG Firewall supports PLAIN and LOGIN authentication protocols.

DKIM verification

With DKIM, you can validate the source domain name and message integrity through cryptographic authentication, preventing email spoofing. You can apply DKIM verification to inbound emails.

When you turn on DKIM verification, XG Firewall looks up the public key in the sending domain's TXT record to verify the DKIM signature.

Table 1. Verification outcome

Settings

Description

DKIM verification failed

There was a body hash mismatch with the signature, indicating email body modification in transit. Alternatively, XG Firewall couldn't verify the signature, indicating a forged signature or header modification.

Invalid DKIM signature

XG Firewall couldn't find the sending domain's public key in the TXT record or found invalid public key syntax.

No DKIM signature found

The email doesn't have a DKIM signature for this domain.
Note XG Firewall quarantines DKIM-signed emails that use RSA SHA-1 or have key length less than 1024 or more than 2048 bits.

Select the action for the verification outcome:

  • Accept: Forwards to recipient
  • Quarantine: Quarantines emails
  • Reject: Discards emails

DKIM signing

XG Firewall adds a digital signature to the headers of outbound emails, using the domain name, selector, and the private RSA key that you specify. Destination servers use the public key in the domain's TXT records to verify the signature, to validate the domain and make sure that the email has not been modified in transit.

For instructions on how to add a DKIM signature, see Add a DKIM signature.

Advanced SMTP settings

Reject invalid HELO or missing RDNS
Select to reject emails from hosts that send invalid HELO/EHLO arguments or lack RDNS records.
Do strict RDNS checks
Select to reject emails from hosts with invalid RDNS records.
Note An RDNS record is invalid if the hostname doesn't resolve back to the source IP address.
Scan outgoing mails
Select to scan outgoing emails. Quarantines spam and malware-infected emails.
Route inbound mail through gateway

Select to use the original firewall rule to route inbound mail (from external and internal senders) to your mail servers. By default, XG Firewall routes only outbound mail.

Use the setting in these cases:

  • To route inbound mail to mail servers (on-premise or hosted) in the WAN zone.
  • To apply the original firewall rule settings when forwarding inbound mail to mail servers in LAN or DMZ.
  • To maintain your IP reputation when you load balance traffic among ISP links. XG Firewall will apply the gateway settings specified in the original firewall rule.
BATV secret

Enter a secret for Bounce Address Tag Validation (BATV). If you have more than one MX record for your domains, you can specify the same BATV secret for all the systems.

XG Firewall generates the BATV signature, using this secret, the time stamp, and the sender's email address. It replaces the envelope sender address with the signature in outbound emails, which enables it to identify bounced emails with forged return addresses.

Signature format: prvs=<tagvalue>=<sender's email address>

Once you enter the secret, you can apply the BATV check in SMTP route and scan policies.