Skip to content

Configure email protection in MTA mode

You can configure the settings to route and protect emails in MTA mode.

Protect email servers in MTA mode: Network diagram

In MTA mode, Sophos Firewall routes emails between your mail servers and the internet. When you turn on MTA mode, a firewall rule is created automatically to allow SMTP/SMTPS traffic. We recommend that you keep this rule at the top of the firewall rule table.

The mail servers' MX record must point to the WAN interface of Sophos Firewall.

In this example, we configure the settings for the following:

  • Allow outbound emails.
  • Allow and protect inbound emails.
  • Enforce TLS and other security settings for incoming and outgoing emails.

Network diagram for internal mail servers

Allow outbound emails

Turn on SMTP relay for the DMZ zone and specify the relay settings for the mail servers. Sophos Firewall then relays outbound mails from your mail servers to the internet.

  1. Go to Administration > Device access.
  2. Under SMTP relay, select DMZ.

    Allow SMTP relay

  3. Go to Email, hover over the more button, and click Relay settings.

    Relay settings menu

  4. Go to Host-based relay.

  5. Under Allow relay from hosts/networks, select the mail servers.

    Here's an example:

    Add mail servers to allow relay

  6. Click Apply.

Add an address group

Create an address group for your organization's email domain.

  1. Go to Email > Address group and click Add.
  2. Check if Group type is set to Email address/domain.
  3. Check if Type is set to Manual.
  4. For Email address/domain, enter your email domain and click the add button. Here, we use

    Here's an example:

    Add email domain to address group

  5. Click Save.

Allow and protect inbound emails

You configure Sophos Firewall to allow inbound emails to the email domain

You allow Sophos Firewall to relay SMTP traffic. You create an SMTP route and scan policy to forward emails to the internal mail servers. This example uses mail servers with static IP addresses in the DMZ. You also specify the basic security settings.

  1. Go to Email > General settings and click Switch to MTA mode.
  2. Go to Email > Policies and exceptions and click Add a policy. Click SMTP route and scan.
  3. Under Protected domain, select the address group you configured.
  4. Set Route by to Static host.
  5. Under Host list, select the mail servers you've configured.

    You can configure IP hosts for mail servers on Hosts and services > IP host.

    Here's an example of how to select the protected domains and mail servers:

    Email domains and routing servers

  6. Turn on Spam protection.

    Spam protection

  7. Turn on Malware protection

    Malware protection

  8. Click Save.

  9. Go to Administration > Device access.
  10. Under SMTP relay, select WAN to allow mail relay for inbound emails.

    Allow SMTP relay for inbound emails

  11. Click Apply.

Configure SMTP security settings

Configure the SMTP and TLS settings.

  1. Under SMTP settings, for SMTP hostname, enter the outgoing mail server's name.
  2. Select Reject based on IP reputation.
  3. Select SMTP DoS settings.

    Here's an example:

    SMTP settings

  4. Under SMTP TLS configuration, for TLS certificate, select the mail server certificate.

    You can upload the mail server certificate on Certificates > Certificates > Upload certificate.

  5. Clear the check box Allow invalid certificate.

    TLS certificate

  6. Under Advanced SMTP settings, select Scan outgoing mails.

    Scan outgoing emails

More resources

Back to top