Skip to content

Encrypt outbound emails in MTA mode

Configure Sophos Firewall to encrypt outbound emails to secure confidential financial data.


This example shows how to encrypt emails containing confidential data sent from your mail server hosted in the DMZ. Sophos Firewall is in MTA mode.

We show the following example settings:

  • IP hosts and certificate for the mail servers. This example uses static servers. If you use MX records, the mail server's MX record must point to the WAN interface of Sophos Firewall.
  • SMTP relay for the mail servers.
  • SMTP TLS settings.
  • Data control list to protect financial information.
  • SPX encryption template.
  • Email domain as an address group.
  • SMTP route and scan policy.

When Sophos Firewall finds protected data in emails, it sends an email to mail recipients asking them to register a password. After recipients register a password, Sophos Firewall encrypts the email using the password and then sends the email to the recipients.

Mail servers network diagram

Configure mail server hosts and certificate

Create IP hosts for the mail servers. Upload the mail server certificate.

  1. Go to Hosts and services > IP host and click Add.
  2. Enter a name.
  3. Set Type to IP.
  4. Enter the IP address.
  5. Create another IP host for the second server. Alternatively, use an IP range or IP list to create a single host for all the mail servers.

    Here's an example of how to create an IP host for the mail server:

    IP host for mail server

  6. Go to Certificates > Certificates and click Add.

  7. Select Upload certificate.
  8. Enter a name.
  9. Upload the Certificate and Private key files.

    Here's an example:

    Upload the mail server certificate

Allow outbound emails

Turn on SMTP relay for the DMZ zone and specify the relay settings for the mail servers. Sophos Firewall then relays outbound mails from your mail servers to the internet.

  1. Go to Administration > Device access.
  2. Under SMTP relay, select DMZ.

    Allow SMTP relay

  3. Go to Email, hover over the more button, and click Relay settings.

    Relay settings menu

  4. Go to Host-based relay.

  5. Under Allow relay from hosts/networks, select the mail servers.

    Here's an example:

    Add mail servers to allow relay

  6. Click Apply.

Configure SMTP security settings

Configure the SMTP and TLS settings.

  1. Under SMTP settings, for SMTP hostname, enter the outgoing mail server's name.
  2. Select Reject based on IP reputation.
  3. Select SMTP DoS settings.

    Here's an example:

    SMTP settings

  4. Under SMTP TLS configuration, for TLS certificate, select the mail server certificate.

    You can upload the mail server certificate on Certificates > Certificates > Upload certificate.

  5. Clear the check box Allow invalid certificate.

    TLS certificate

  6. Under Advanced SMTP settings, select Scan outgoing mails.

    Scan outgoing emails

Add a data control list

Select the data you want to control in emails. This example shows the protection settings for financial data.

  1. Go to Email > Data control list and click Add.
  2. Enter a name.
  3. For CCLs (Control control list), set Type to Financial data.
  4. Select the required items from the list. Scroll down to see the full list.

    Here's an example:

    Financial data control list

  5. Click Save.

Create an SPX template

Configure an SPX encryption template and specify the SPX portal settings. The SPX portal allows users to reply to emails securely.

  1. Go to Email > Encryption > SPX templates and click Add.
  2. Set Password type to Specified by recipient.

    SPX password type

  3. Select Enable SPX reply portal.

  4. Select Include original body into reply.

    SPX portal settings

  5. Click Save.

Add an address group

Create an address group for the email domain.

  1. Go to Email > Address group and click Add.
  2. Check if Group type is set to Email address/domain.
  3. Check if Type is set to Manual.
  4. For Email address/domain, enter your email domain and click the add button. Here, we use

    Here's an example:

    Add email domain to address group

  5. Click Save.

Add an SMTP route and scan policy

Configure an SMTP route and scan policy specifying the data control list and an SPX template for the list.

  1. Go to Email > Policies and exceptions and click Add a policy. Click SMTP route and scan.
  2. Under Protected domain, select the address group you configured.
  3. Set Route by to Static host.
  4. Under Host list, select the mail servers you've configured.

    Here's an example:

    Email domains and routing servers

  5. Turn on Data protection.

    Here's an example:

    Data protection

  6. Click Save.