Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Set up Microsoft Office 365 with Sophos Firewall

You can configure Sophos Firewall for use with Microsoft Office 365 for advanced email protection and management.

Configure Sophos Firewall for Office 365

  1. Go to Email > General settings and verify that the firewall uses the Mail Transfer Agent (MTA) mode.

    Email SMTP deployment mode set to MTA.

  2. Go to Rules and policies and verify that the default firewall rule named Auto added firewall policy for MTA exists.

    If the rule doesn't exist, go to Email > General settings, click Switch to legacy mode, and then click Switch to MTA mode to create the default firewall rule.

    Automatically added firewall rule for MTA mode.

  3. Go to Administration > Device access, allow SMTP relay for the WAN zone, and click Apply.

    SMTP relay is allowed for WAN zone.

  4. Go to Hosts and services > IP host and click Add.

  5. Enter a name. Use a prefix (example: O365) to identify the host easily.
  6. Enter the IP address ranges listed for Exchange Online Protection and click Save.

    You must configure IP hosts for all the ranges listed here: Exchange Online Protection IP addresses.

    Add IP host definition for O365.

  7. Go to Email > Relay settings.

    1. Under Host-based relay, click Add new item in the Allow relay from hosts/networks box.
    2. In the search box, enter O365 to find the IP hosts you've created, click Select all, and then apply these.

      Warning

      For security reasons, you must set Block relay from hosts/networks to Any. If you don't, Sophos Firewall may become an open relay.

    3. Go to Upstream host and click Add new item under Allow relay from hosts/networks. Select Any, and then click Apply "Any" as selected item.

  8. Click Apply.

    Relay settings for O365.

  9. Go to Email > Policies and exceptions.

  10. In the Policies section, click Add policy > SMTP route and scan and configure the following settings:

    Setting Description
    Name Enter a name for the policy.
    Protected domain Add the domains.
    Global action Select Accept.
    Route by Select DNS host and enter the DNS hostname of the MX record.

    SMTP policy for O365.

  11. Click Save.

Configure Microsoft Exchange

  1. Sign in to Office 365 and go to Admin > Admin centers > Exchange.

    Menu of Office 365.

  2. Go to mail flow > connectors and click the Plus icon to add a new connector.

  3. Configure the connector with the following settings and then click Next.

    Setting Description
    From Office 365
    To Partner organization
  4. Enter a name for your connector and click Next.

    1. Select Only when email messages are sent to these domains.
    2. Click the plus icon, enter * as the value, and click OK.
    3. Click Next.

    Usage settings for a new connector in Exchange.

  5. Make the following routing settings:

    1. Select Route email through these smart hosts.
    2. Click the plus icon, enter the public IP address or FQDN of Sophos Firewall, and click Save.
    3. Click Next.

    Routing settings for new connector in Exchange.

  6. Select Always use Transport Layer Security (TLS) to secure the connection (recommended) and Any digital certificate, including self-signed certificates.

  7. Click Next.
  8. Review the configuration and then click Next.
  9. Validate the connector as follows:

    Click the Plus icon, enter an email address, click OK and then click Validate. The connector may not validate successfully until MX and SPF are changed.Validating the new connector.

  10. Click Save.

  11. Ensure you've set an FQDN for Sophos Firewall under Email > General Settings > SMTP Settings > SMTP Hostname.
  12. Update the MX record to point to the IP address or FQDN of Sophos Firewall.
  13. Update the SPF record to include Sophos Firewall or +mx (v=spf1 +include:spf.protection.outlook.com +mx -all).

    This adds the new MX record of Sophos Firewall and allows it to verify emails sent from Office 365 with the SPF record.

More resources