General Settings

This feature requires a subscription in Sophos XG Firewall. It can be configured but cannot be enforced without a valid Email Protection subscription.

Email Configuration allows configuring the general settings on Email traffic. This page contains the following sections.

SMTP Deployment Mode

MTA mode is available only in Sophos XG Firewall, XG105, Cyberoam CR25iNG, Sophos UTM, SG105, and higher models.

To switch between MTA mode and legacy mode, click the button.

In MTA mode, Sophos XG Firewall acts as a mail transfer agent (MTA). In legacy mode, it acts as a transparent proxy.

As an MTA, Sophos XG Firewall routes emails of the protected email servers. You can configure inbound and outbound mail relay, create SMTP profiles to protect multiple domains on the internal email server or multiple email servers, view emails that are waiting for delivery or have generated an error, and view mail logs.

Default: MTA mode is enabled.

Note
  • When you turn on MTA mode, a firewall rule is created automatically to allow SMTP/SMTPS traffic.
  • If you have migrated from CyberoamOS or SFOS v15 to SFOS v16, legacy mode is enabled by default.
Figure: SMTP deployment mode

Outbound Banner Settings

Email Banner Mode
Select the mode of appending banner to outgoing emails.

Available options:

Inline, no conversion: Appends banner inline. MIME part: Appends banner as a separate MIME part. Off: Does not append banner.
Note For banner to be appended, select Scan SMTP and Scan SMTPS under Malware scanning in the applicable Business application rules.
Email Banner
Specify banner to be added to all the outgoing Emails. Only text banners are allowed.

Example:

This email contains confidential information. You are not authorized to copy the contents without the consent of the sender. Please do not print this email unless it is absolutely necessary. Spread environmental awareness.

Figure: General Configuration

SMTP Settings

SMTP Hostname
Specify the SMTP hostname to be used in HELO and SMTP banner strings. By default, Sophos XG Firewall uses 'Sophos' as hostname.
Note For legacy mode, this hostname is applicable only to system-generated notification emails.
Don't Scan Emails Greater Than
Specify maximum file size (in KB) for scanning. Files exceeding this size received through SMTP/S will not be scanned.
Default - 0 KB
Specify 0 to increase the default file size scanning restriction to 51200 KB.
Action for Oversize Emails
Specify the action for Oversize Emails.

Available Options

Accept: All the oversize mails are forwarded to the recipient without scanning. Reject: All the oversize mails are rejected and sender is notified. Drop: All the oversized mails are dropped, without notifying the sender. Default - Accept
Bypass Spam Check for SMTP/S Authenticated Connections (available only in legacy mode)
Enable to bypass Spam Scanning for Email messages received over SMTP/S connections authenticated by the Email Server.
Verify Sender's IP Reputation
Click to verify the reputation of the sender IP Address. When enabled, Device dynamically checks the sender’s IP Address of all Emails. If the IP Address is found to be responsible for sending Spam Emails or malicious contents, Device takes action as per configured Scanning Rules.

If enabled, specify action for Confirmed Spam Emails and Probable Spam Emails.

Available Options

Accept: All the spam Emails are forwarded to the recipient after scanning as per the configuration. Reject: All the spam mails are rejected and a notification is sent to the Email sender. Drop: All the spam mails are dropped, without notifying the sender.

As it is a global option, if Spam scanning is enabled, all the mails will be first subjected to IP Reputation filtering followed by filtering based on actions configured in Spam policy.

Default - Disable

SMTP DoS Settings
Enable to configure SMTP DoS Settings which protect the network from SMTP DoS Attacks.

If enabled, specify values for Maximum Connections, Maximum Connections/Host, Maximum Emails/Connection, Maximum Recipients/Email, Email Rate per Minute/Host and Connections Rate per Second/Host.

Maximum Connections (available if SMTP DoS settings enabled)

Specify maximum number of connections that can be established with the Email Server.

Default - 1024

Range - 1 - 20000

Maximum Connections/Host (available if SMTP DoS settings enabled)

Specify maximum number of connections allowed to the Email Server from a particular host.

Default - 64

Range - 1 - 10000

Maximum Emails/Connection (available if SMTP DoS settings enabled)

Specify maximum number of Emails that can be sent in a single Connection.

Default - 512

Range - 1 - 1000

Maximum Recipients/Email (available if SMTP DoS settings enabled)

Specify maximum number of Recipients for a single Email.

Default - 100

Range - 1 - 256

Email Rate per Minute/Host (available if SMTP DoS settings enabled)

Specify number of Emails to be sent from a particular host in one Minute.

Default - 512

Range - 1 - 20000

Connection Rate per Second/Host (available if SMTP DoS settings enabled)

Specify number of Connections allowed to the Email Server from a particular host in one Second.

Default - 8

Range - 1 - 20000

Figure: SMTP/S Settings

POP/S and IMAP/S Settings

Don't Scan Emails Greater Than
Specify maximum file size (in KB) for scanning. Files exceeding this size received through POP/IMAP will not be scanned.
Default - 1024 KB
Specify 0 to increase the default file size restriction to 10240 KB.
Recipient Headers
Specify Header value to detect recipient for POP3/IMAP.

Default - Delivered-To, Received, X-RCPT-TO

Figure: POP/S and IMAP/S Settings

SMTP TLS Configuration

TLS Certificate
Select the CA for scanning SMTP traffic over SSL from the available options.

Available Options

Default ApplianceCertificate SecurityAppliance_SSL_CA List of custom CAs if added. You can create the custom CA from Device Configuration > Configure > VPN > Certificate Authority and custom Server certificate from Certificates > Certificates.
Allow Invalid Certificate
If enabled, SMTP over SSL connections will be allowed with invalid certificate from the Email Server. Disable to reject such connections.
Default - Enable
Disable legacy TLS protocols
If enabled, protocols earlier than TLS 1.1 will be disabled. To overcome TLS vulnerabilities, we recommend that you disable legacy TLS protocols.
Default: Disable
Require TLS Negotiation
Select the remote host (mail server) or network from available options on whose connections TLS encryption is to be enforced. In other words, the device will always initiate TLS-secured connections when emails are to be sent or received. If TLS is enforced but connection cannot be established, then emails to/from that remote host/network are discarded.
Require Sender Email Domain
Specify the sender domain on whose email connections TLS encryption is to be enforced.
Sender domain is the domain of the email sender. Emails from the specified sender domain will be received over TLS-encrypted connections only. If TLS is enforced but the connection cannot be established, then emails from that sender domain are discarded.
Skip TLS Negotiation Hosts/Nets
Select the remote host (Email Server) or network from available options on whose connections TLS encryption is to be skipped or bypassed. When configured, SMTP connections to selected hosts will be established in clear text and unencrypted.
Figure: SMTP TLS Configuration

POP and IMAP TLS Configuration

TLS Certificate
Select the CA for scanning POP and IMAP traffic over SSL from the available options.

Available Options

Default SecurityAppliance_SSL_CA List of custom CAs if added Default - Default
Allow Invalid Certificate
If enabled, POP and IMAP over SSL connections will be allowed with invalid certificate from the Mail Server. Disable to reject such connections.
Default - Enable
Apply
Click to save the configuration.
Figure: POP and IMAP TLS Configuration

Email Journaling (available only in legacy mode)

Email being one of the most important communication and business tool in use by organizations, Email Journaling has become an integral part of every organization. An email journal is a repository to preserve Emails for compliance and operational purposes.

Using Device Email Journal, the administrator can archive all Emails, Emails of a specific recipient or a group of recipients coming into the organization and thereby keep a close watch over data leakage.

The Device can archive all Emails intended for a single or multiple recipients and can forward to the single administrator or multiple administrators.

This section displays list of journals created and provides option to add a new journal, update the parameters of existing journal, or delete the journal. You can filter the list based on recipient name.

Allowed and blocked senders (available only in MTA mode)

You can specify IP addresses, FQDNs, and email addresses to receive emails over SMTP/S connections to bypass RDNS, greylisting, IP reputation, recipient verification, as well as scanning for inbound-outbound spam, DLP, and RBL.

Blocked email addresses
To block email addresses, add them here. The device blocks email addresses that belong to both allowed and blocked lists.
Figure: Allowed and blocked senders

Malware Protection

Sophos Firewall OS offers Dual Anti-Virus Scanning, wherein traffic is scanned by Two (2) Anti-Virus Engines. Traffic is first scanned by the Primary Engine, and then the Secondary Engine. You can configure managed SF device(s) for Malware Protection using the following settings:
Note Dual Anti-Virus is not available in SF device Models SF100 and SF200. For them, ONLY Single Anti-Virus CYREN is available.
Note You can also view and manage these settings from Device Configuration > Configure > System Services > Malware Protection.
Note You can manage the Anti-Virus service from Device Configuration > Monitor and Analyze > Diagnostics > Services.
Primary Anti-Virus Engine
Select the Primary Anti-Virus Engine to be used for traffic scanning. For Dual Scan, packets are first scanned by the Primary Engine and then by the Secondary Engine. For Single Scan, only the Primary Engine is used.

Available Options

  • Sophos Engine
  • Avira Engine
Apply
Click to save the configuration.

Smarthost Settings

A smarthost is a Mail Transfer Agent (MTA) which acts as an intermediate server between the sender's and recipient's mail servers. On configuring a smarthost, the device redirects outbound emails to the designated server, which are then routed to the recipient's mail server.

You can enable Use Smarthost from Device Configuration > Protect > Email > General Settings.

Hostname
Select the host that will act as a smarthost.
Note You cannot configure Smarthost as the device's interface IP address. It will result in a routing loop.
Port
Enter the port number.

Default: 25

Authenticate Device with Smarthost
Select if the smarthost requires the device to authenticate before routing emails. Both plain and login authentication types are supported. Enter a Username and password.
Figure: Smarthost Settings

Advanced SMTP Settings (available only in MTA mode)

Reject invalid HELO or missing RDNS

Select this option if you want to reject hosts that send invalid HELO/EHLO arguments or lack RDNS entries. Select Do strict RDNS checks if you want to additionally reject email from hosts with invalid RDNS records. An RDNS record is invalid if the found hostname does not resolve back to the original IP address.

Scan Outgoing Mails
Enable to scan all outgoing email traffic. Email is quarantined if found to be malware infected, or marked as Spam.
Apply
Click to save the configuration.