Skip to content

Configure email protection in MTA mode

You can configure the settings to route and protect emails in MTA mode.

Protect email servers in MTA mode: Network diagram

In MTA mode, Sophos Firewall routes emails between your mail servers and the internet. When you turn on MTA mode, a firewall rule is created automatically to allow SMTP/SMTPS traffic. We recommend that you keep this rule at the top of the firewall rule table.

The mail servers' MX record must point to the WAN interface of Sophos Firewall.

In this example, we do as follows:

  • Enforce TLS and other security settings for incoming and outgoing emails.
  • Add an address group.
  • Allow and protect inbound emails.
  • Allow outbound emails.

Network diagram for internal mail servers

Configure SMTP security settings

Configure the SMTP and TLS settings.

  1. Go to Email > General settings and click Switch to MTA mode.


    When you turn on MTA mode, a firewall rule is created automatically to allow SMTP/SMTPS traffic. We recommend you keep this rule at the top of the firewall rule table.

  2. Under SMTP settings, for SMTP hostname, enter your domain name (example: Don't enter your mail server's hostname. The firewall uses the SMTP hostname in HELO and SMTP banner strings.


    The SMTP hostname only applies to system-generated notification emails.

  3. Select Reject based on IP reputation.

  4. Go to Certificates > Certificates > Upload certificate and upload your mail server's certificate.


    We recommend you use a certificate signed by a public CA to ensure remote mail servers accept the certificate.

  5. Go to SMTP TLS configuration, for TLS certificate, and select your mail server certificate.

  6. Under Advanced SMTP settings, select Scan outgoing mails.

    Scan outgoing emails

  7. Click Apply.

Add an address group

Create an address group for your organization's email domain.

  1. Go to Email > Address group and click Add.
  2. Check if Group type is set to Email address/domain.
  3. Check if Type is set to Manual.
  4. For Email address/domain, enter your email domain and click the add button. Here, we use

    Here's an example:

    Add email domain to address group

  5. Click Save.

Allow and protect inbound emails

You configure Sophos Firewall to allow inbound emails to the email domain

You allow Sophos Firewall to relay SMTP traffic. You create an SMTP route and scan policy to forward emails to the internal mail servers. This example uses mail servers with static IP addresses in the DMZ. You also specify the basic security settings.

  1. Go to Email > Policies and exceptions and click Add a policy. Click SMTP route and scan.
  2. Under Protected domain, select the address group you configured.
  3. Set Route by to Static host.
  4. Under Host list, select the mail servers you've configured.

    You can configure IP hosts for mail servers on Hosts and services > IP host.

    Here's an example of how to select the protected domains and mail servers:

    Email domains and routing servers

  5. Turn on Spam protection.

    Spam protection

  6. Turn on Malware protection

    Malware protection

  7. Click Save.

  8. Go to Administration > Device access.
  9. Under SMTP relay, select WAN to allow mail relay for inbound emails.

    Allow SMTP relay for inbound emails

  10. Click Apply.

Allow outbound emails

Turn on the SMTP relay for the DMZ zone and specify the relay settings for the mail servers. Sophos Firewall then relays outbound mail from your mail servers to the internet.

  1. Go to Administration > Device access.
  2. Under SMTP relay, select DMZ.

    Allow SMTP relay

  3. Go to Email, hover over the more button, and click Relay settings.

    Relay settings menu

  4. Go to Host-based relay.

  5. Under Allow relay from hosts/networks, select the mail servers.

    Here's an example:

    Add mail servers to allow relay

  6. Click Apply.

More resources