Configure protection for cloud-hosted mail server

Configure Sophos Firewall to route emails through a cloud-hosted mail server.

Cloud-hosted mail server: Network diagram

This example shows a mail server hosted in the cloud and how to configure email settings and an SMTP route and scan policy.

Prerequisites:

  • Point the mail server's MX record to Sophos Firewall.
  • Configure the mail server to allow email relay with Sophos Firewall.

Network diagram for cloud-hosted mail server

Configure the email mode and mail server host

  1. Go to Email > General settings and verify that the firewall uses the MTA (Mail Transfer Agent) mode.
    Email SMTP deployment mode set to MTA
  2. Go to Rules and policies and verify that the default firewall rule named Auto added firewall policy for MTA exists.

    If the rule doesn't exist, go to Email > General settings, click Switch to legacy mode, and then click Switch to MTA mode to create the default firewall rule.

    Automatically added firewall rule for MTA mode
  3. Go to Hosts and services > IP host and create an IP host for the mail server.
    Here's an example:

    Create an IP host for the mail server
  4. Upload the mail server certificate as follows:
    1. Go to Certificates > Certificates and click Add.
    2. Select Upload certificate.
    3. Enter a name.
    4. Upload the Certificate and Private key files.

      Here's an example:


      Upload the mail server certificate

Allow outbound emails

Turn on SMTP relay for the WAN zone and specify the relay settings for the mail servers. Sophos Firewall then relays outbound emails from your mail servers to the internet.
  1. Go to Administration > Device access.
  2. Under SMTP relay, select WAN.

    Allow SMTP relay
  3. Go to Email, hover over the more button, and click Relay settings.

    Relay settings menu
  4. Go to Host-based relay.
  5. Under Allow relay from hosts/networks, select the mail server.
    Here's an example:

    Add the mail server to allow email relay
  6. Click Apply.

Configure SMTP security settings

Configure the SMTP and TLS settings.
  1. Under SMTP settings, for SMTP hostname, enter the outgoing mail server's name.
  2. Select Reject based on IP reputation.
  3. Select SMTP DoS settings.

    Here's an example:


    SMTP settings
  4. Under SMTP TLS configuration, for TLS certificate, select the mail server certificate.

    You can upload the mail server certificate on Certificates > Certificates > Upload certificate.

  5. Clear the check box Allow invalid certificate.

    TLS certificate
  6. Under Advanced SMTP settings, select Scan outgoing mails.

    Scan outgoing emails

Add an SMTP route and scan policy

  1. Go to Email > Policies and exceptions and click Add a policy. Click SMTP route and scan.
  2. Under Protected domain, click Create new and create an address group for the mail server's domain name.
  3. Set Route by to MX.

    Create an MX record pointing to your mail server for the protected domain.

    Here's an example:

    Email domains and routing servers
  4. Turn on Spam protection.

    Spam protection
  5. Turn on Malware protection

    Malware protection
  6. Click Save.