Configure protection for cloud-hosted mail server
Configure Sophos Firewall to route emails through a cloud-hosted mail server.
Cloud-hosted mail server: Network diagram
This example shows a mail server hosted in the cloud, and how to configure email settings and an SMTP route and scan policy.
Prerequisites
- Point the mail server's MX record to Sophos Firewall.
- Configure the mail server to allow email relay with Sophos Firewall.
Configure the email mode and mail server host
-
Go to Email > General settings and verify that the firewall uses the MTA (Mail Transfer Agent) mode.
-
Go to Rules and policies and verify that the default firewall rule named Auto added firewall policy for MTA exists.
If the rule doesn't exist, go to Email > General settings, click Switch to legacy mode, and click Switch to MTA mode to create the default firewall rule.
-
Go to Hosts and services > IP host and create an IP host for the mail server.
Here's an example:
-
Upload the mail server certificate as follows:
Allow outbound emails
Turn on SMTP relay for the WAN zone and specify the relay settings for the mail servers. Sophos Firewall then relays outbound emails from your mail servers to the internet.
- Go to Administration > Device access.
-
Under SMTP relay, select WAN.
-
Go to Email, hover over the more button, and click Relay settings.
-
Go to Host-based relay.
-
Under Allow relay from hosts/networks, select the mail server.
Here's an example:
-
Click Apply.
Configure SMTP security settings
Configure the SMTP and TLS settings.
- Under SMTP settings, for SMTP hostname, enter the outgoing mail server's name.
- Select Reject based on IP reputation.
-
Select SMTP DoS settings.
Here's an example:
-
Under SMTP TLS configuration, for TLS certificate, select the mail server certificate.
You can upload the mail server certificate on Certificates > Certificates > Upload certificate.
-
Clear the check box Allow invalid certificate.
-
Under Advanced SMTP settings, select Scan outgoing mails.
Add an SMTP route and scan policy
- Go to Email > Policies and exceptions and click Add a policy. Click SMTP route and scan.
- Under Protected domain, click Create new and create an address group for the mail server's domain name.
-
Set Route by to MX.
Create an MX record pointing to your mail server for the protected domain.
Here's an example:
-
Turn on Spam protection.
-
Turn on Malware protection
-
Click Save.