Skip to content

Add an SMTP route and scan policy (MTA mode)

You can specify routing and encryption settings for more than one domain on your internal mail servers. You can apply spam and malware checks and specify settings for data and file protection.

  1. Go to Email > Policies and exceptions and click Add a policy. Click SMTP route and scan.
  2. Enter a name.
  3. Specify the Domains and routing target details.

    Option Description
    Protected domain Add the domains you want to protect for inbound, outbound, and internal emails.
    Note: You can't specify email addresses. For existing and migrated email addresses, Sophos Firewall will continue to apply the specified settings, but you can't edit these addresses.
    Route by

    Select the mail server to forward the emails to:

    • Static host: From Host list, select the static IP addresses of internal mail servers.
      Note: If the first host in the selected list is unreachable, Sophos Firewall forwards emails to the next host until it reaches the end of the list.
    • DNS host: Select and specify the DNS hostname, for example,
      Note: For a DNS name with multiple A records, Sophos Firewall delivers emails randomly to each server. If a server fails, the firewall automatically routes emails to the other servers.
    • MX: Select to route emails based on MX records.
    Global action Action to take for emails related to protected domains.
    Accept: Accepts email.
    Reject: Rejects the email and notifies the sender.
    SPX template Select an encryption template for outbound emails. Sophos Firewall then encrypts all outbound emails from the domains you've selected.
  4. Turn on Spam protection.

    Option Description
    Check for inbound spam

    Select to check for spam in inbound emails.

    For Action for spam, Action for probable spam, and Action for bulk mail, select one of the following actions:

    • None: Delivers the emails to the recipient as is.
    • Warn: Delivers the emails to the recipient after adding a prefix to the subject. Specify the prefix subject in Prefix subject for spam and Prefix subject for bulk mail.
    • Quarantine: Quarantines the emails to SMTP quarantine. See SMTP quarantine.
    • Drop: Drops the emails without notifying the sender.

    Note: These actions don't apply to SPF and RBL checks. If these checks fail, Sophos Firewall rejects the emails.

    Use greylisting Select if you want to temporarily reject inbound emails from IP addresses of unknown mail servers.
    Note: Legitimate servers retry sending the rejected emails at regular intervals. Sophos Firewall accepts these emails, greylisting the sender's IP address for a specific duration.
    Reject based on BATV Make sure that you've entered the BATV secret in general settings. The secret is used to create the BATV signature.
    Sophos Firewall matches the recipient address in bounced emails with the BATV signature, rejecting emails with an invalid return address or expired signature. This protects recipients from bounced emails with forged return addresses.
    BATV signatures expire in seven days.
    Reject based on SPF With Sender Policy Framework (SPF), Sophos Firewall verifies the IP address of the sender's authorized mail server in DNS records and rejects emails from unauthorized servers.
    Reject based on RBL Select the RBL services to reject emails from sender IP addresses in these lists.
    Recipient verification
    • Off
    • With callout: Checks recipient email address with the user account on the destination mail server. Sophos Firewall rejects emails to users that don't exist. It accepts emails to recipients if the mail server is unreachable for a specific duration.
    • In Active Directory: Verifies recipients of inbound emails with the AD server over simple, SSL, and STARTTLS protocols. Specify the AD server, bind DN, and base DN.
      Bind DN is the full distinguished name (DN), including the common name (CN) of the administrator user configured in the AD server that you’ve specified.
      Base DN is the base distinguished name (DN), which is the starting point of searches in the AD server.
      Note: Verification times out in 30 seconds.
  5. Turn on Malware protection.

    Option Description

    Select the action for antivirus scanning:

    • Single antivirus: Primary antivirus engine scans emails. The selection applies only to inbound emails. Sophos Firewall uses both antivirus engines to scan outbound emails.
    • Dual antivirus: Primary and secondary engines scan emails sequentially.
    Note: You can specify the primary antivirus engine in general settings.

    Restriction: In models lower than Sophos Firewall XG 105, you can turn on scanning only with the primary antivirus engine.
    Use Zero-day protection Select to send emails for Zero-day protection analysis and specify the maximum file size that can be analyzed. Larger files won’t be analyzed.
    Note: To implement Zero-day protection analysis with single antivirus scanning, specify Sophos as the primary antivirus engine.
    Selected antivirus action

    Specify the action.

    • None
    • Drop: Drops the email without notifying the sender.
    • Quarantine
    Notify sender Select to notify senders about infected emails.
    Quarantine unscannable content Select to quarantine emails that can’t be scanned, for example, corrupt, encrypted, compressed files, oversized emails, and emails that couldn’t be scanned due to an internal error.
  6. Turn on File protection to filter attachments.

    Option Description
    Block file types

    Select the type of attachments to block. To select more than one file type, press Ctrl+Shift. MIME headers populate the MIME whitelist.

    • All: Blocks emails with attachments.
    • None: Allows emails with attachments.
    MIME whitelist To allow certain file types, select their MIME headers. Antivirus scanning blocks the remaining file types.
    Drop message greater than Enter the maximum file size to scan. Larger emails are dropped.
  7. Turn on Data protection.

    Option Description
    Data control list Select from the list to scan for sensitive information in outbound emails.
    You can create data control lists from the content control list (CCL). CCLs are based on common financial and personally identifiable data types, such as credit card or social security numbers, postal, or email addresses.
    Data control list action

    Select the action:

    • Accept: Delivers the email.
    • Accept with SPX: SPX-encrypts and delivers email. Select the SPX template to apply.
    • Drop: Drops the email without notifying the sender.
    Notify sender Select to notify senders about sensitive information.


    Applying SPX encryption, adding a subject prefix, blocking file types, or appending a banner to outbound emails modifies the email header or body. The modification breaks the DKIM hash, which results in DKIM verification failure at the recipient MTA.

    Sophos Firewall matches policy settings with visible content as well as content of file packages (file formats that include zip-compressed files, for example, docx, xlsx, pptx, odt, ods, odp, odg).


    Sophos Firewall does not support the AUTH command.

  8. Click Save.

More resources