Configuring email protection in MTA mode

The example shows how to configure the settings to route and protect emails.

Introduction

In MTA mode, XG Firewall routes emails between the mail server and the internet. When you turn on MTA mode, a firewall rule is created automatically to allow SMTP/SMTPS traffic. We recommend that you retain this rule at the top of the firewall rule table.

In this example, you configure the settings to do as follows:
  • Allow and protect inbound emails.
  • Allow outbound emails.
  • Enforce TLS and other security settings for incoming and outgoing emails.

Allow and protect inbound emails

The example shows how to allow inbound emails to your email domain @mycompany.com.

You allow XG Firewall to relay SMTP traffic. You create an SMTP route and scan policy to forward emails to the internal mail server. This example uses a mail server with a static IP address in the DMZ zone. You also specify the basic security settings.

  1. Go to Email > General settings and click Switch to MTA mode.
  2. Go to Administration > Device access. Turn on WAN access for SMTP relay.
  3. Go to Email > Policies and exceptions and click Add a policy. Click SMTP route and scan.
  4. Specify the following settings:

    Setting

    Description

    Protected domain

    mycompany_com

    Email domain protected by XG Firewall.

    Route by

    Static host

    XG Firewall looks up the mail server for the protected email domain.

    Host list

    Internal_Mail_Server

    Mail server with static IP address in the DMZ.

    Spam protection

    Turn it on (optional, but recommended).

    Malware protection

    Turn it on (optional, but recommended).


    Forward inbound mail destined to protected domain to internal mail server
  5. Click Save.

Allow outbound emails

You configure XG Firewall to relay outbound mails from your mail server to the internet.

In MTA mode, XG Firewall performs antivirus scanning on all outbound emails even if you don't specify scanning in the SMTP policy or firewall rule. The file types you specify in Email > File type can't be blocked for outbound emails.

  1. Go to Email > General settings and click Switch to MTA mode.
  2. Go to Administration > Device access. Turn on WAN access for SMTP relay.
  3. Go to Email > Relay settings. Under Host-based relay, select the internal mail server.

    XG Firewall relays emails from the internal mail server to the internet.


    Allow SMTP relay

Configure SMTP security settings

SMTP security settings are optional, but we recommend you configure these basic settings.

In this example, you select the IP reputation, DoS, TLS, and scanning settings.
  1. Go to Email > General settings and specify the following SMTP settings:
    • SMTP hostname
    • Reject based on IP reputation
    • SMTP DoS settings

    SMTP settings
  2. Under SMTP TLS configuration, for TLS certificate, select the default CA certificate. Alternatively, you can upload and select a third-party certificate.

    Configure TLS settings
  3. Under Advanced SMTP settings, make sure Scan outgoing mails is selected.

    Scan outgoing emails