This feature requires a subscription in Sophos XG Firewall. It can be configured but cannot be enforced without a valid Email Protection subscription.

Mode Switch option

Select the mode from the following for which you want to apply SPX Configuration and manage SPX Templates:
  • MTA
  • Legacy

SPX Configuration

Default SPX Template
Select the default SPX Template. SPX Templates can be created from Device Configuration > Protect > Email > SPX Encryption. Default Template is used if any user explicitly SPX-encrypts an Email and no template is selected in Content Scanning Rule.
User can SPX-encrypt an Email by:
  • Manually setting the Email header X-Sophos-SPX-Encrypt to yes.
  • Installing the Sophos Outlook Add-in and clicking Encrypt before sending the Email.

If Default SPX Template is selected as None, then SPX encryption is not applied on Email.

Allow Secure Reply for
Enter the maximum time (in days) in which recipient can securely reply to an SPX-encrypted email using the SPX Reply Portal.
Keep Unused Password for

Specify the expiry time in days of an unused password.

For example, if Keep Unused Password for is set to 30 days, then password will expire at 0 o'clock after 30 days from being generated if no SPX encrypted message was sent for a specific recipient.

Default: 30 days

Allow Password Registration for
Specify the time in days after which the link to Password Registration Portal expires.

Default: 10 days

Send Error Notification To

Specify whom to send a notification when an SPX error occurs. Select Sender Only to send notification to the sender or select Nobody if you do not want any notification to be sent. Error messages will always be listed in the SMTP log.

SPX Portal Settings

Specify the IP Address or Domain on which Password Registration Portal is hosted.
Allowed Network(s)
Specify the networks from which password registration requests will be accepted.

Enter the port on which the SPX reply portal should listen.

Default: 8094

Figure: SPX Configuration

SPX Templates

SPX (Secure PDF Exchange) encryption is a next-generation version of email encryption. It is clientless and extremely easy to set up and customize in any environment. Using SPX encryption, email messages and any attachments sent to the SF device are converted to a PDF document, which is then encrypted with a password. You can configure the SF device to allow senders to select passwords for the recipients, or the server can generate the password for the recipient and store it for that recipient, or the server can generate one-time passwords for recipients.

When SPX encryption is enabled, there are two ways how emails can be SPX encrypted:
  • User can download the Sophos Outlook Add-in from SF's User Portal. After having it installed, an Encrypt button is displayed in the Microsoft Outlook user interface. To encrypt a message, the user needs to click the Encrypt button and then write and send the message. Only if something goes wrong, for example the sender does not enter a valid password, a notification will be sent, if configured.

    If you do not use Outlook you can also trigger SPX encryption by setting the header field

    X-Sophos-SPX-Encrypt to yes.

  • In the Data Protection feature, you can enforce SPX encryption for Emails containing sensitive data (see Device Configuration > Protect > Email > Email Scanning Rules.

The encrypted message is then sent to the recipient's mail box. Using any PDF reader, the recipient can decrypt the message with the password that was used to encrypt the PDF. SPX-encrypted email messages are accessible on all popular smartphone platforms that have native or third-party PDF file support, including Android, IOS, Blackberry and Windows Mobile devices.

The SPX template defines the layout of the PDF file, password settings and recipient instructions. You can also define different SPX templates. So, if you are managing various customer domains, you can assign them customized SPX templates containing for example different company logos and texts. Use this section to add, edit and delete SPX Templates for Legacy and MTA modes.